April 1, 2026 — An April Fools’ joke no one wanted to believe was real
April 1, 2026 — April Fools’ Day.
When alerts began appearing on X (Twitter) saying that Drift Protocol was under attack, most people assumed it was just a prank. Few imagined that the largest DeFi platform on Solana could actually be breached on the one day no one believes anything.
But within 12 minutes, $285 million was gone.
This wasn’t a movie, a joke, or a simulation — it was the biggest DeFi robbery of 2026, and the second-largest incident in Solana’s history, behind only the $326 million Wormhole Bridge hack in 2022.
And behind it? State-backed North Korean hackers — the same ecosystem linked to the $1.5 billion Bybit theft earlier in 2025.
Who is Drift Protocol?
Before getting into the attack, it helps to understand what Drift is.
Drift Protocol, founded in 2021 by Cindy Leow and David Lu, is the largest decentralized perpetual futures exchange on Solana. Before the incident, Drift held more than $550 million in total value locked (TVL) and processed over $19 million in daily trading volume.
In simple terms, Drift is like a “stock market” for Solana’s DeFi world — a place where depositors, traders, and lenders interact without a central intermediary.
Anatomy of the Hack — A plan built over weeks
What made the Drift attack different from a typical hack is this: it didn’t rely on a bug in the code. Security firms Trail of Bits and ClawSecure had audited Drift’s code and found no critical issues.
The weakness was in people and processes — not software.
Step 1 — Three weeks of preparation (March 11)
It all began on March 11, 2026, when the attacker withdrew 10 ETH from Tornado Cash, a blockchain obfuscation tool used to hide transaction trails. The funds began moving on March 12 around midnight GMT — roughly 9:00 AM Pyongyang time.
That small detail later became an important clue in attribution.
Step 2 — Creating a fake token that looked legitimate
The attacker created a token called CarbonVote Token (CVT), minting 750 million units and controlling 80% of the supply. They then seeded a tiny amount of liquidity — only around $500 — on Raydium, a Solana-based exchange.
Next came wash trading: repeatedly buying and selling the token between wallets they controlled to make CVT appear like a legitimate asset trading at roughly $1 per token.
This continued for weeks, until Drift’s oracle system — which relied on Switchboard for asset price feeds — accepted CVT as a real asset.
That was the core of the attack: convincing the oracle that a fake asset was real.
Step 3 — Taking over governance keys
Between March 23 and 30, the attacker created Durable Nonce Accounts, a standard Solana feature that allows transactions to be signed in advance and held for later use without expiring.
They then used social engineering to trick members of Drift’s Security Council into signing what appeared to be routine update transactions, but which in reality granted the attacker control over the system.
A critical change happened on March 27: the Security Council was moved to a 2/5 multisig with zero timelock. That meant only 2 out of 5 approvals were needed, and there was no delay period for review before execution.
It was the equivalent of removing the brakes from a car before sending it downhill.
Step 4 — Twelve minutes of chaos (April 1)
Once everything was in place, the attacker moved fast:
- Listed CVT as valid collateral on Drift
- Raised withdrawal limits to extreme levels
- Deposited 785 million CVT tokens into the system — which the oracle valued at hundreds of millions of dollars
- Withdrew real assets — including USDC, SOL, JLP, and Bitcoin — through 31 transactions in 12 minutes
Assets stolen included:
- JLP (Jupiter Perps): ~42.7 million units (worth about $159 million)
- Bitcoin assets (cbBTC, wBTC): more than $16 million
- SOL, USDC, USDT: tens of millions of dollars
- A total of 15 token types across multiple vaults
All of it was completed in 12 minutes — faster than most people take to order and receive their morning coffee.
Cross-chain laundering — Within hours
After draining Drift, the attacker wasted no time:
- Converted all stolen assets into USDC through Solana-based exchanges
- Bridged the funds to Ethereum via Circle’s CCTP protocol — moving more than $230 million in USDC within a few hours
- Swapped USDC into ETH on Ethereum to make tracking more difficult
The most alarming detail: Circle took more than six hours to freeze the stolen USDC — more than enough time for the attacker to move most of the funds cross-chain and begin laundering them.
Impact — Shockwaves across Solana DeFi
TVL collapsed
Drift’s total value locked fell from $550 million to below $250 million by the same morning — a 55% drop, driven by both the stolen funds and panic withdrawals from users.
DRIFT token plunged 40%
The $DRIFT token fell from $0.07 to $0.044, dropping more than 40% in 24 hours after the team announced a full suspension of deposits and withdrawals.
Contagion effects
More than 12 Solana protocols with exposure to Drift temporarily paused operations. Some announced compensation plans for users, while others suspended deposits, withdrawals, and lending until they could assess the damage.
North Korea — From Bybit to Drift
Evidence pointing to Pyongyang
Both TRM Labs and Elliptic, two of the world’s leading blockchain intelligence firms, concluded that the Drift attack closely matched known North Korean operations:
- Operational timing: funds began moving at 09:00 Pyongyang time, consistent with regular working hours
- On-chain patterns: transaction behavior matched prior DPRK-linked operations
- Laundering methods: tactics aligned with techniques repeatedly used by North Korean actors
- Operational boldness: rapidly bridging massive sums suggests a state-backed team with significant resources
Elliptic said this was already the 18th DPRK-linked operation of 2026 alone — with more than $300 million stolen so far that year.
The bigger picture — Crypto theft as an industry
The numbers are staggering:
- 2025: North Korean hackers stole a total of $2 billion in crypto, accounting for 59% of all crypto theft globally ($3.4 billion)
- All-time total: more than $6.5 billion
- Bybit Hack (Feb 2025): $1.5 billion — the largest in crypto history
- Drift Hack (Apr 2026): $285 million — the largest hack of 2026
What is the money used for? The United Nations has been blunt: North Korea’s nuclear weapons and missile programs. Under heavy sanctions that cut off traditional financing channels, crypto remains one of the few viable alternatives.
From Bybit to Drift — The same pattern, and still no one learns
If you read our Bybit Heist article, the similarities are hard to ignore:
|
Bybit (Feb 2025) |
Drift (Apr 2026) |
| Value |
$1.5 billion |
$285 million |
| Method |
Supply chain attack via Safe{Wallet} |
Oracle manipulation + admin key compromise |
| Weak point |
Signers approved without verification |
Signers pre-approved without understanding |
| Code flaw? |
None — code passed audit |
None — code passed audit by Trail of Bits |
| Attacker |
North Korea (Lazarus Group) |
North Korea (DPRK-linked) |
| Core problem |
People |
People |
Notice the pattern? In both cases, the code wasn’t the problem — people were.
The systems had passed audits. There were no obvious software bugs. But the attackers went after the weakest layer: human approval processes where signers did not fully verify what they were authorizing.
“Code is Law” breaks down when the people holding the keys become the real attack surface.
5 key lessons — For every organization, not just DeFi
1. Timelocks are emergency brakes you should never remove
Drift removed its governance timelock before the incident, allowing critical changes to execute immediately with no review period.
Lesson: Any system involving sensitive approvals — whether smart contracts, ERP workflows, or financial transfers — needs a mandatory delay period so humans have time to review. For admin-level changes, that should be at least 24–48 hours.
2. Oracles are not infallible — You need defense in depth
Drift trusted oracle pricing without enough safeguards. The attacker was able to create a fake token with a convincing price history and successfully deceive the oracle.
Lesson: Any system that depends on external data needs layered defenses — such as minimum liquidity thresholds, time-weighted pricing checks, and circuit breakers that halt operations automatically when anomalies appear. This applies far beyond crypto: price APIs, market feeds, and even third-party vendor data all carry the same risk.
3. Multi-sig isn’t safe if signers don’t verify what they sign
Multisig is designed to require multiple approvals. But if signers can be tricked into pre-signing transactions they don’t understand, it offers little more protection than a single approver.
Lesson: Anyone with approval authority must review every request carefully before signing — especially transactions tied to admin functions or system-level changes. Never sign what you don’t understand, whether it’s on-chain or in the office.
4. Social engineering is still the most powerful weapon
Both Bybit and Drift had no critical code bug — only bugs in processes and people. Attackers don’t need to be the world’s best programmers if they are good enough at manipulating humans.
Lesson: Invest seriously in security awareness training. That means more than sending one reminder email a year. Organizations need regular drills, phishing simulations, and a culture where people feel empowered to question anything suspicious.
5. Response speed is everything
Circle took six hours to freeze the stolen USDC — far too long. The attacker needed much less time than that to move and launder funds across chains.
Lesson: Every organization needs a tested incident response plan. People must know exactly what to do, who to call, and how quickly decisions can be made. Every minute lost is money gone.
What Thai businesses and investors should know
For crypto investors
- Do not keep all your funds in a single protocol — diversify across both platforms and chains
- Review the governance model before investing — a protocol using zero timelock is effectively saying, “we have no brakes”
- Follow on-chain security news closely — this will not be the last incident of its kind
For businesses using digital systems
The Drift attack is not just a crypto story — the same principles apply to every organization:
- Oracle manipulation = trusting vendor or API data without verification
- Admin key compromise = a phishing attack on privileged accounts
- Zero timelock = an approval process with no review step
- Social engineering = an email that looks like it came from the CEO
If your organization runs ERP systems, cloud infrastructure, or even budget approval workflows, you are exposed to the same class of risk.
DeFi security in 2026 — A worrying picture
Q1 2026 initially looked better on paper: hackers stole $168.6 million from 34 DeFi protocols, down 89% year-over-year.
But the Drift incident in April wiped out that entire quarter’s progress in a single event.
What has changed is the scale of attacks. Hackers no longer need many small wins — one sufficiently large attack is enough.
And North Korea is proving that it can do this again and again — from Bybit to Drift, and likely other operations that have not yet been publicly disclosed.
Key Takeaways
$285 million vanished in 12 minutes — not because the code had a bug, but because the process did.
The Drift Protocol hack teaches us that:
- Security audits are not enough if approval processes are still weak
- Timelocks are not optional — they are a requirement
- People are the biggest vulnerability — and training is one of the best security investments available
- State-backed attackers do not only target giant firms; mid-sized protocols can be just as vulnerable
The same question we asked after Bybit still applies here: “If your organization were attacked today, how ready would it be?”
The Enersys team has experience designing security systems end to end — from risk assessments and defense-in-depth architecture to incident response planning. If you’re not confident your systems are secure enough, talk to us before it’s too late.
Contact the Enersys team
References
