Drift's "April Fools" theft exceeds $280 million: hacker intrusion or inside job?

Shaw, Golden Finance

On April 2, the derivatives trading platform Drift Protocol suffered a security incident, with on-chain data showing losses exceeding $285 million. The project team said it has discovered abnormal activity and is investigating, urging users not to deposit funds into the protocol for the time being, and emphasizing, “This is not an April Fools’ joke.”

The attack involved multiple liquidity pools, including JLP Delta Neutral, SOL Super Staking, BTC Super Staking, and others. In a single transaction, about 41.7 million JLP tokens were transferred, worth approximately $155 million. In addition, assets such as SOL, USDC, cbBTC, and wBTC were also withdrawn.

According to statistics, the incident may become one of the largest DeFi attacks in the Solana ecosystem since the Wormhole bridge exploit, in terms of scale.

I. Latest developments on the Drift Protocol being attacked

On April 1, 2026, Eastern Time, Solana’s decentralized derivatives protocol Drift Protocol suffered a major hacker attack. The stolen assets totaled about $285 million. The core stolen assets mainly included: about 41.7 million JLP tokens worth $155.6 million; and various assets such as USDC, SOL, cbBTC, and wBTC. This stolen-asset incident became one of the second-largest attacks in Solana’s history and one of the largest attacks in DeFi history.

Soon after, Drift Protocol’s official account published a post on a social platform confirming: “Drift Protocol is under attack. Deposit and withdrawal functions have been paused. We are working with multiple security organizations, cross-chain bridges, and exchanges to fully control the situation. This is not an April Fools’ joke. More information will be released on this account as soon as possible.”

The attack began in the early hours of April 2. The on-chain monitoring platform PeckShield issued an alert: the Drift main vault address started transferring large sums to a newly created wallet, HkGz4K. The first batch of tokens withdrawn was mainly JLP (Jito Liquidity Provider) tokens, worth approximately $155 million, followed by USDC, SOL, cbBTC, wBTC, WETH, and some meme coins. PeckShield data shows that within a short time, total assets outflow reached $285 million.

According to Yujin monitoring, the $285 million in assets stolen from Drift have already been converted into 129,000 ETH (about $278 million). Over the past few hours, the hacker sold these assets in various ways and bridged them to the Ethereum chain, and then bought ETH on the Ethereum chain. Now, the $285 million in assets stolen on Solana has already been converted into 129,066 ETH on the Ethereum chain.

In addition, the SlowMist security team posted on social media stating that, currently, the stolen funds have basically been consolidated into the following Ethereum addresses: 0x0fe3b6908318b1f630daa5b31b49a15fc5f6b674, 0xd3feed5da83d8e8c449d6cb96ff1eb06ed1cf6c7, 0xaa843ed65c1f061f111b5289169731351c5e57c1, total: 105,969 ETH (about $226 million).

Hacker address cluster:

II. Interpretation of the Drift Protocol attack—did the project team “rob itself”?

This attack was a carefully planned combination of an authority intrusion and price manipulation. The key point is that after the hacker stole the admin privileges, by forging tokens and manipulating oracles, it instantly broke through the withdrawal limits, draining the protocol’s treasury. By obtaining the admin private key, the hacker disabled the protocol’s core risk controls (withdrawal limits). Then, it used fake collateral to batch withdraw funds from the liquidity pools, and completed money laundering by transferring assets across chains.

Regarding the incident where assets were stolen due to the Drift Protocol being attacked, SlowMist founder Yu Xian posted an analysis indicating that one week before the attack, Drift adjusted its multisig mechanism to “2/5” (1 old signer + 4 new signers) and did not set a timelock. Afterward, the attacker gained admin privileges, forged CVT tokens, manipulated the oracle, shut down security mechanisms, and transferred high-value assets out of the liquidity pool.

Chaos Labs co-founder Omer Goldberg also posted on social media, saying that a week ago, Drift migrated to a new multisig wallet created by one of the signers from the old multisig. And this signer did not add itself to the new signer list. The attacker simultaneously initiated a proposal in the old multisig to transfer admin privileges to this new wallet. The new multisig has 5 signers in total: only 1 is from the original team, and the other 4 are all entirely new addresses. The wallet was set with a 2/5 multisig threshold and no time lock (0-second delay). In the early hours of April 2, this only original signer initiated a proposal via the new multisig to change Drift’s admin privileges. One new signer co-signed within one second, instantly meeting the 2/5 threshold. Because there was no time lock, the transaction executed immediately.

In addition, rumors circulated in the community that a core member of the Drift team left the team about a month ago, but this is not an official-confirmed fact and lacks evidence. At present, it is only speculation/rumor spread in the X (Twitter) community—there are no specific names, and neither mainstream media nor Drift officials have confirmed it. In mainstream news and Drift’s official statements, there is nothing mentioning that any team member left a month ago.

Nevertheless, the possibility of “robbing itself” is indeed the most talked-about and most suspicious direction in the current circle, even more logical than the “external hacker intrusion.” Previously, the official adjusted the multisig mechanism, making the permission structure “too convenient for attack,” not something that seems accidental. The attack method “was too familiar with internal logic,” which does not resemble an external hacker’s style. Moreover, the official response to such a massive theft was unusually calm. After the assets were stolen, the fund flow was very clean and clear—quickly swapped for ETH and bridged across chains—and there was no inflow to a centralized exchange that would be easy to freeze. All of these incident processes and operational logic. This has caused the community’s suspicions about Drift’s “robbing itself” to intensify.

III. Relevant parties and reactions from the crypto community

After the Drift Protocol assets were stolen, relevant parties and the crypto community reacted differently:

• In the DeFi protocol Drift incident, the JLP position suffered losses of about $155.6 million. In response, Jupiter’s official team said the platform was not affected by this incident. Its lending product Jupiter Lend was not involved with the Drift market, and the JLP assets are “fully supported by underlying assets.” Jupiter also said that this incident was a “tough day” for the Solana DeFi ecosystem and expressed concern to the Drift team and affected users.

• Yield generation protocol Unitas Protocol posted on X, stating that it was not affected by the Drift Protocol attack incident. Unitas has no exposure on Drift. All collateral is safe, and all strategies (including the JLP Delta Neutral strategy) are running normally. User funds are safe. Collateral can be verified in real time through the Accountable and Primus Labs reserve proof dashboards.

• Solana liquidity protocol Meteora posted on X, saying that all funds on Meteora are safe; the platform’s functions and treasury have not interacted with the Drift protocol.

• Stablecoin infrastructure founder Anna of Perena posted on X, saying that its Perena USD*, USD*-J, and USD*-P were not affected by the Drift attack incident. However, the JLP vault of Neutral Trade, the manager of the Solana ecosystem quant strategy sharing platform, was affected because it runs on Drift Protocol. The team is maintaining communication with partners and will continue to update progress.

• X user @hzkj99: The asset protocol Drift Protocol in the SOL ecosystem was hacked, with losses in the hundreds of millions. Whenever funds are involved, safety must be the top priority at any time. Especially in a bear market, there will absolutely be new protocols that get hacked. This world is a huge patchwork of setups—some protocols can even be hacked multiple times, and Drift is definitely not the last one that will be hacked.

• X user @lanhubiji: Drift Protocol suffered a major vulnerability exploit, with losses on the scale of about $270 million—one of the largest DeFi attacks of 2026 so far. Some posts, speaking very seriously, said, “The Solana Foundation is coordinating a rollback with servers in Toly’s (co-founder) basement.” Although this is a meme, saying it like that is a bit much.

• X user @EnHeng456: In a bear market, keeping money really requires being careful, and even more careful now—the environment is getting less and less safe, and there are hacking news everywhere. Some older protocols also specifically run into issues in bear markets—you can hardly tell whether it’s a hacker attack or “robbing itself.” I’ve also been more conservative lately. I just keep everything in USD1 and don’t dare to store it everywhere else. In this kind of market, the more you tinker, the easier it is to cause problems. Sometimes not moving is the best choice. Drift got hacked out of $200 million and then it went into the general’s pocket.

IV. Impact of the Drift Protocol stolen-asset incident

The Drift Protocol $285 million stolen-asset incident is the second-largest DeFi attack in Solana ecosystem history. Its impact goes far beyond the protocol itself—dealing a severe blow to confidence in the Solana ecosystem and accelerating DeFi security reform.

This attack exposed fatal flaws in DeFi projects in multisig permission management and oracle security. “Permissions are the treasury.” Once an admin key is compromised, and without emergency stop mechanisms such as timelocks, even complex code logic can instantly fail. For Drift Protocol, unless the stolen money is recovered or a big player steps in to take over, it will head toward liquidation, bankruptcy, and lawsuits. For Solana and its ecosystem, it suffered a severe blow to its reputation, with short-term capital outflows and slower growth, while in the long term it forces a safety upgrade. And for the entire DeFi industry, it can be said to be a watershed moment: “permission security is greater than code security” becomes an iron law. Trust costs rise sharply, and DeFi will enter a new stage of being more compliant, more transparent, and more centralized (secure governance).