Drift Protocol Drained for $285M in Sophisticated Governance Attack
Solana's Drift Protocol lost $285M to a months‑long social engineering exploit blamed on North Korea. Attackers built real relationships, created a fake oracle token, and drained vaults in 12 minutes. The hack crashed DRIFT by 40%, wiped half the TVL, and briefly paused a dozen Solana protocols.
Quick Take
North Korea‑linked attackers used a fake token to manipulate Drift oracles
Pre‑signed durable nonce transactions drained 31 vaults in 12 minutes
Schwab confirms spot BTC and ETH trading for its $12T client base this quarter
Circle bridged $232M USDC off Solana via CCTP amid freezing controversy
Market Impact Analysis
NeutralThe massive exploit is bearish for Solana DeFi, but Schwab’s spot crypto launch is a major institutional bullish signal, creating conflicting pressures.
Speculation Analysis
Key Takeaways
- North Korean actors exploited Drift Protocol's governance through a six-month social engineering campaign.
- Attackers drained $285M in 12 minutes using a fake token and pre-signed durable nonce transactions.
- DRIFT token price plunged over 40% and total value locked halved to under $250 million.
- $232 million in USDC was quickly bridged to Ethereum, raising questions about Circle's freeze response.
- Schwab's entry into spot crypto trading for its $12.2 trillion client base signals growing institutional embrace.
What Happened
On April 1, Drift Protocol—Solana's largest decentralized perpetual exchange—suffered a $285 million governance attack. Elliptic and TRM Labs attributed the exploit to North Korea's Lazarus Group, marking the 18th such incident linked to the DPRK in 2026. Over six months, attackers posed as a quantitative trading firm, attending crypto conferences and cultivating personal relationships with Drift insiders. This access allowed them to socially engineer multisig signers into pre-approving dormant transactions. When activated, these transactions drained 31 vaults in a fully automated 12-minute spree. The operation relied on a fabricated token to manipulate price oracles, bypassing collateral checks. The scale and sophistication surpass most DeFi hacks, rivaling the 2022 Wormhole bridge exploit in Solana's history.
The Numbers
The attack extracted $285 million, primarily in USDC, making it the largest DeFi exploit of 2026. Over 31 rapid withdrawals executed the draining, leveraging pre-signed durable nonces. DRIFT's token price plummeted over 40% immediately, and total value locked (TVL) on Drift crashed from approximately $550 million to below $250 million. Roughly $232 million in USDC was bridged to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP) within hours, raising flags about speed of asset movement. In comparison, the 2022 Wormhole hack cost $326 million, placing Drift second among Solana breaches.
Why It Happened
The exploit succeeded through a combination of long-term social engineering and technical manipulation. Attackers spent months building trust with Drift contributors in person at industry events, eventually gaining sufficient sway to coax multisig signers into approving hidden transactions. They exploited Solana's durable nonce feature, which kept authorizations valid for weeks, allowing them to trigger the drain at a chosen moment. Simultaneously, they created a sham token (CarbonVote/CVT) with thin liquidity, wash-traded it to simulate activity, and then used it as collateral. Drift's oracles were deceived into valuing this token at hundreds of millions, enabling massive borrowing. This attack underscores the human vulnerability in decentralized governance and the risks of oracle dependency.
Broader Impact
The fallout rippled across Solana's DeFi ecosystem: a dozen protocols that rely on Drift paused operations, chilling activity. Circle's role attracted scrutiny after $232 million in USDC was bridged off Solana so swiftly; while Circle states it only freezes assets under legal compulsion, critics argued faster intervention could have mitigated losses. Countering the bearish sentiment, Charles Schwab confirmed plans to launch spot Bitcoin and Ether trading this quarter for its $12.2 trillion client base, a bullish institutional signal that may offset DeFi jitters.
What to Watch Next
- Drift's governance will likely undergo emergency overhauls; monitor proposals for multisig restructuring and oracle reforms.
- Circle may face increased pressure to implement proactive freeze mechanisms, potentially reshaping stablecoin policies.
- Schwab's spot crypto rollout could accelerate mainstream adoption; watch for exact launch dates and initial volumes.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
