Governance Hack on April 1 Drains Up to $285 Million From Drift and Exposes DeFi Weaknesses

At 16:05:18 UTC on April 1, a sequence of pre-signed governance transactions gave an attacker control of Drift Protocol, a Solana-based perpetuals exchange. Within hours the attacker drained an estimated $270 million to $285 million from the protocol — one of the largest Solana-era thefts of 2026.

How the attack unfolded

Drift confirmed on April 1 that it was facing “an active attack,” saying it had halted deposits and withdrawals and was working with “security firms, bridges, and exchanges to contain the incident.” The protocol's post on X added: “This is not an April Fools joke.”

A Chainalysis reconstruction, published April 9, says the attacker spent weeks targeting the people who controlled Drift rather than exploiting a code bug. By using Solana’s “durable nonce” feature, the attacker persuaded members of Drift’s Security Council to pre-sign administrative transactions between March 23 and March 30. Durable nonces let a transaction be signed and broadcast later without expiring; Chainalysis says the attacker collected those pre-signed transactions and triggered one on April 1 that reassigned privileged admin rights to a wallet the attacker controlled.

With admin control, the attacker changed configuration parameters: they whitelisted a fake token (reported as CVT), made it eligible as collateral, and borrowed heavily against Drift’s real assets. Over roughly two hours the attacker emptied the protocol’s vaults.

The haul and the bridge to Ethereum

Chainalysis estimates total losses at about $285 million across at least 18 assets, including roughly $71.4 million in USDC, $159.3 million in Jupiter Liquidity Pool tokens (JLP), $11.3 million in Coinbase-wrapped Bitcoin (cbBTC), and smaller amounts of USDT, WETH and WBTC. The drain erased more than half of Drift’s total value locked.

On-chain trackers report the attacker converted much of the stolen value into USDC on Solana and then moved roughly $230–232 million of that USDC to Ethereum using Circle’s Cross-Chain Transfer Protocol (CCTP). Those transfers — more than 100 transactions over several hours — followed the standard CCTP pattern: USDC burned on Solana, Circle attests, and equivalent USDC minted on Ethereum. The first bridged assets reached Ethereum about 23 minutes after the attacker seized admin control.

Once the funds arrived on Ethereum, the attacker began converting minted USDC into ether and other assets, a step that reduces the ability of a centralized issuer to intervene, though it does not remove that possibility entirely.

Questions about Circle and centralized controls

The heavy use of USDC and CCTP has renewed scrutiny of Circle, the stablecoin issuer, and its ability to freeze or blacklist addresses. Circle’s past actions — including freezes tied to sanctions and to the 2022 Tornado Cash designation — show it can act on certain requests. Several blockchain investigators publicly questioned why Circle did not move faster to stop or slow the attacker’s visible stream of USDC burns on Solana and mints on Ethereum.

As of April 10, Circle has not issued a widely circulated, incident-specific public timeline describing when it was alerted, what requests it received, or how it evaluated any freeze options in response to the Drift theft.

Security firms and analytics companies have pointed to this case to argue for additional technical safeguards: automated circuit breakers that pause abnormal admin actions, intent-based checks that flag mismatched or unexpected transactions, and stricter timelocks on governance operations.

Attribution and wider implications

Chainalysis and other forensic firms say the operation’s staging, target selection and in-chain behavior are consistent with past campaigns linked to North Korean (DPRK) actors. Chainalysis characterized the attack as “likely linked to North Korean (DPRK) actors” while noting that this is an analytical judgment, not a legal attribution. No law enforcement agency has publicly attributed the hack.

If nation-state actors are involved, the theft could feed a long-running cycle of evasive laundering and sanctions enforcement, and test how quickly private companies and centralized issuers act to contain illicit flows.

For Drift users, the immediate questions are practical: the protocol remains paused and many traders face uncertainty about deposits and leveraged positions. Because the attacker targeted core asset pools rather than a single product, potential losses could be broad and recovery uncertain.

What this means for DeFi

The Drift incident underscores a shift in where risk in decentralized finance often resides. Earlier major hacks frequently exploited smart-contract bugs. In this case, the contracts appear to have worked as written; instead, governance processes and operational safeguards failed. Chainalysis highlighted a recent migration of Drift’s multisig to a 2-of-5 threshold without a timelock, which removed an important buffer and, combined with pre-signed durable nonces, let a single broadcast reassign protocol control.

Security vendors are urging protocols to harden operational setups: increase multisig thresholds for critical actions, restore timelocks so large changes cannot take effect instantly, and add systems — on- or off-chain — that verify whether administrative transactions match expected intent.

The case also foregrounds tensions in modern DeFi: protocols rely on centralized stablecoins and bridges for liquidity and cross-chain movement, yet those centralized services have discretionary powers that can materially affect outcomes during attacks. How and when those powers are used, and what safeguards platforms must maintain, are likely to be central questions for developers, market participants and regulators in the coming months.

Looking ahead

Investigations by Chainalysis and other analytics firms are ongoing, and exchanges and law enforcement are continuing to track the flows. The Drift exploit will likely prompt audits of governance processes across DeFi and renewed calls for industry-level standards to reduce the odds that operational procedures, rather than code vulnerabilities, enable large-scale thefts.

For now, the incident is a reminder that decentralization on paper can still hinge on a small set of human decisions — and that attackers are increasingly exploiting those human and governance edges.