$285m worth of user assets stolen from Solana’s drift protocol following massive breach

Drift Protocol, the largest decentralised perpetual futures exchange on the Solana network, was hit by a sophisticated exploit, resulting in the theft of approximately $280 million in user assets. The platform, which serves as the largest perpetual futures exchange on the Solana blockchain, confirmed the attack was real and active, dispelling early social media rumors that the timing was an elaborate April Fools' prank.

The breach caused Drift's Total Value Locked (TVL) to plummet by over 53%, falling from $550 million to roughly $255 million in less than 24 hours. The protocol has since suspended all deposits and withdrawals as it coordinates with law enforcement and security firms to trace the stolen funds.

Anatomy of a "textbook" attack

Security researchers from PeckShield and SlowMist describe the incident as a "textbook-level" operational chain involving both governance vulnerabilities and oracle manipulation. The attacker reportedly spent over a week preparing for the heist, beginning with a small "test transfer" from a Drift vault eight days prior to the main event.

The exploit unfolded in three critical stages:

• Governance compromise: The attacker gained unauthorised access to Drift’s Security Council administrative powers. This may have been facilitated by a recent migration of protocol management to a new multi-signature wallet that lacked a "time-lock" mechanism.

• Oracle manipulation: Using their elevated permissions, the attacker created a false spot market for an illiquid token called CVT. By manipulating the Switchboard oracle price, they artificially inflated the value of CVT through 20 rapid transactions.

• Treasury drain: The attacker used the overvalued CVT as collateral to borrow "real" assets from Drift's core vaults, including approximately $155 million in JLP tokens, $51 million in USDC, and significant amounts of SOL and cbBTC.

Cross-chain laundering and industry fallout

Blockchain data shows the attacker used Circle’s Cross-Chain Transfer Protocol (CCTP) to bridge approximately $232 million in USDC from Solana to Ethereum. Once on Ethereum, the funds were swapped for ETH and dispersed across various privacy mixers and exchanges.

The speed and scale of the transfer have sparked a heated debate within the industry. High-profile on-chain sleuth ZachXBT publicly criticized Circle and other major exchanges for a "slow response" in freezing the assets as they moved across the bridge during U.S. working hours. Circle responded by stating they comply with "law enforcement orders and court-mandated requirements" but must balance asset freezes with user rights and the rule of law.

Ecosystem impact

The ripple effects of the Drift hack have been felt across the entire Solana network:

• Jupiter (JUP): As a major holder of JLP tokens, Jupiter's perpetual contract market faced a significant liquidity crunch.

• Contagion: At least 15 other Solana projects, including Carrot Finance and Lulo, were forced to pause functions or freeze funds due to their interconnectedness with Drift’s liquidity pools.

• Token Collapse: The $DRIFT token crashed by 35%, trading as low as $0.044 following the news.

The DPRK connection?

Security firm Elliptic has identified multiple indicators suggesting the attack may be linked to the Lazarus Group, a state-sponsored hacking collective from the Democratic People's Republic of Korea (DPRK). The "staged execution" and specific laundering methodologies match patterns observed in previous North Korean crypto-thefts.

If confirmed, this would be the 18th major DPRK-linked exploit tracked in 2026 alone. For now, the Drift team is urging users to revoke all smart contract authorizations related to the protocol as the investigation continues.