Solana-based Drift Protocol fell victim to the largest-ever exploit in 2026, resulting in the loss of nearly $300 million in a “highly sophisticated operation” that raised concerns about the growing threat of human-targeted attacks in the crypto space.
Solana DEX loses $285 million on April Fool’s Day
On Wednesday, Solana-based decentralized exchange (DEX) Drift Protocol fell victim to an exploit that stole hundreds of millions of dollars from its vaults. After online reports indicated unusual on-chain activity yesterday afternoon, Drift’s official channels confirmed the attack, quickly suspending deposits and withdrawals.
The attack reportedly lasted less than 20 minutes and resulted in the theft of approximately $285 million in various assets, including USDC, JPL, USDT, JUP, USDS, WBTC, and WETH, from nearly 20 vaults. This marks the biggest crypto exploit so far in 2026 and one of the biggest hacks in the industry, coming just after the $235 million WazirX hack.
The hack resulted in the loss of half of the Solana-based project’s total locked value, which dropped from about $550 million to $252 million, according to DeFiLlama data. The Drift protocol’s token, DRIFT, has also fallen, down almost 40% in the last 24 hours.
Within hours, the exploit converted $270.9 million into USDC, linked it from Solana to Ethereum via TokenMessengerMinterV2’s CCTP, and purchased 129,000 ETH, splitting it across multiple wallets.
In Thursday’s Drift post common details of the incident, confirming that “a malicious actor gained unauthorized access to the Drift protocol through a novel persistent nonce attack, which led to the rapid takeover of the administrative privileges of the Drift Security Council.”
Solana persistent one-time transactions are an advanced mechanism that allows transactions to bypass the typical tiny expiration date of regular transactions. This allows users to pre-sign transactions for future execution, offline signing, or sophisticated multi-signature workflows.
“This was a highly sophisticated operation that apparently involved weeks of preparation and phased execution, including the use of durable one-off accounts to pre-sign transactions that delayed execution,” the post continued.
Malicious actors attacking people, not sharp contracts
The Solana-based DEX stressed that the exploit was not the result of a bug in Drift’s programs or sharp contracts, also noting that it found no evidence that see phrases were compromised.
“The attack consisted of unauthorized or misrepresented consents to transactions obtained before their execution, likely facilitated by persistent one-off mechanisms and sophisticated social engineering,” the project emphasized.
Lily Liu, President of the Solana Foundation, addressed incident, claiming that it is a blow to the entire Solana ecosystem. Liu noted that “Smart contracts have persisted. The real targets are now people: social engineering and opsec weaknesses rather than code exploits.”
Ledger’s technical director Charles Guillemet connected Drift’s attack method on the $1.4 billion Bybit hack that was attributed to North Korean hacking groups. He explained that the attackers, probably through long-term infiltration, hacked several machines belonging to multisig signatories and misled operators into approving malicious transactions.
This modus operandi is similar to last year’s Bybit hack, which was widely attributed to DPRK-linked entities. The pattern is becoming familiar: patient, sophisticated compromise at the supply chain level that targets the human and operational layers, not the sharp contracts themselves.
Guillemet confirmed that the incident is “another wake-up call for the industry” that should raise the bar on safety. “Ultimately, security isn’t just about code audits. It’s about providing operators and users with the right information at the right time so they can make informed decisions about what they sign,” he concluded.
Featured image from Unsplash.com, chart from TradingView.com
