Drift's "April Fools" theft exceeds $280 million: hacker intrusion or inside job?

Shaw, Golden Finance

On April 2, a security incident occurred on the derivatives trading platform Drift Protocol, with on-chain data showing losses exceeding $285 million. The project team said it had identified abnormal activity and was investigating, urging users to not deposit funds into the protocol, and emphasized, “This is not an April Fools’ joke.”

The attack involved multiple funding pools, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking, among others. A single transfer of about 41.7 million JLP tokens was valued at approximately $155 million. In addition, assets such as SOL, USDC, cbBTC, and wBTC were also withdrawn.

According to statistics, this incident may become one of the largest DeFi attacks in the Solana ecosystem after the Wormhole bridge exploit.

I. Latest developments in the Drift Protocol被 attacked incident

On April 1, 2026, Eastern Time, the Solana ecosystem’s decentralized derivatives protocol Drift Protocol suffered a major hacker attack. Stolen assets were about $285 million, and the main stolen assets were: about 41.7 million JLP tokens, worth $155.6 million; as well as various assets including USDC, SOL, cbBTC, and wBTC. This stolen-asset incident became one of the second-largest attacks in Solana’s history and one of the largest DeFi attacks in scale.

Afterward, Drift Protocol’s official account published a post on a social platform confirming: “Drift Protocol is under attack. Deposit and withdrawal functions have been paused. We are working in coordination with multiple security organizations, cross-chain bridges, and exchanges to fully control the situation. This is not an April Fools’ joke. More information will be released on this account as soon as possible.”

The attack began in the early hours of April 2. On-chain monitoring platform PeckShield issued an alert: the main treasury address of Drift began making large transfers to a newly created wallet, HkGz4K. The first batch transferred mainly JLP (Jito Liquidity Provider) tokens, worth about $155 million. Then came USDC, SOL, cbBTC, wBTC, WETH, and some meme coins. PeckShield data shows that, within a short time, a total of $285 million in assets flowed out.

According to Ember monitoring, the $285 million stolen from Drift has already been exchanged for 129k ETH (=$278 million). Over the past few hours, the hacker sold these assets using various methods and bridged them to the Ethereum chain, then purchased ETH on the Ethereum chain. Now, the $285 million in assets stolen on Solana has been converted into 129,066 ETH on the Ethereum chain.

In addition, the SlowMist security team said in a post on social media that, currently, the stolen funds have basically been consolidated to the following Ethereum addresses: 0x0fe3b6908318b1f630daa5b31b49a15fc5f6b674, 0xd3feed5da83d8e8c449d6cb96ff1eb06ed1cf6c7, 0xaa843ed65c1f061f111b5289169731351c5e57c1, totaling: 105,969 ETH (about $226 million).

Hacker address clusters:

II. Drift Protocol attack interpretation—did the project team “rob itself while on guard”?

This attack was a carefully planned combination of permission intrusion and price manipulation. The core was that after stealing administrator privileges, the hacker used forged tokens and manipulated oracles to instantly bypass the funding limits and loot the protocol treasury. By obtaining the administrator private key, the hacker disabled the protocol’s core risk controls (withdrawal limits). They then used fake collateral to withdraw in batches from the funding pools, and completed money laundering by transferring assets across chains.

Regarding the incident in which assets were stolen due to the Drift Protocol being attacked, SlowMist founder Yu Xuan published an analysis post. The Drift stolen-asset incident pointed out that one week before the attack, Drift changed its multisig mechanism to “2/5” (1 old signer + 4 new signers) and did not set a timelock. The attacker then obtained administrator privileges, forged CVT tokens, manipulated oracles, shut down security mechanisms, and transferred high-value assets from the funding pools.

Chaos Labs co-founder Omer Goldberg also posted on social media stating that a week ago, Drift migrated to a new multisig wallet. This wallet was created by one of the signers from the original multisig. And this signer did not add themselves to the new multisig signers list. The attacker simultaneously initiated a proposal in the old multisig to transfer administrator privileges to this new wallet. The new multisig has 5 signers in total—only 1 is from the original team, while the other 4 are entirely new addresses. The wallet is set with a 2/5 multisig threshold and has no timelock (0 seconds delay). In the early hours of April 2, this only original signer initiated a proposal via the new multisig to change Drift administrator privileges. A new signer co-signed within one second, instantly satisfying the 2/5 threshold. Because there was no timelock, the transaction executed immediately.

Additionally, there is community talk that core members of the Drift team resigned about a month ago, but that is not an officially confirmed fact; it lacks evidence and is currently only speculation/rumor spread by the X (Twitter) community—there are no specific names, and neither mainstream media nor Drift’s official side has confirmed it. In mainstream news and Drift’s official statements, there is completely no mention that any team member resigned a month ago.

Even so, the possibility of “robbery while on guard” is indeed the direction with the highest discussion and the most疑 points in the current circle, even more logical than “an external hacker intrusion.” Previously, the official adjusted the multisig mechanism, making the permission structure “too convenient to attack,” which doesn’t look accidental. The attack methods are “too familiar with internal logic,” which doesn’t match the style of external hackers. Also, the official response to such a huge amount stolen has been unusually calm. After the assets were stolen, the fund flows were very clean and clear: quickly swapped into ETH and bridged cross-chain, without flowing into centralized exchanges that are prone to freezing. This whole chain of events and operating logic. These incidents have led the community’s suspicions of Drift’s “robbery while on guard” to surge.

III. Relevant parties and reactions from the crypto community

After the Drift Protocol stolen-asset incident, relevant parties and the crypto community reacted differently:

• In the DeFi protocol Drift stolen-asset event, the JLP position loss was about $155.6 million. In response, Jupiter’s official account said the platform was not affected by this incident. Its lending product Jupiter Lend did not involve the Drift market, and the JLP assets are “fully supported by underlying assets.” Jupiter also said the incident was a “tough day” for the Solana DeFi ecosystem and expressed concern to the Drift team and affected users.

• Yield-generating protocol Unitas Protocol tweeted that it was not affected by the Drift Protocol attack incident. Unitas has no exposure on Drift. All collateral is secure, and all strategies (including the JLP delta-neutral strategy) are operating normally. Users’ funds are safe. Collateral can be verified in real time via the Accountable and Primus Labs reserve proof dashboard.

• Solana liquidity protocol Meteora tweeted that all funds on Meteora are safe, and that all platform functions and treasuries have not interacted with the Drift protocol.

• Stablecoin infrastructure Perena founder Anna tweeted that its Perena USD*, USD*-J, and USD*-P were not affected by the Drift attack incident. However, the JLP treasury of the Solana ecosystem quant strategy sharing platform Neutral Trade is affected because it runs on Drift Protocol, and the team is maintaining communication with partners and will continue to update progress.

• X platform user @hzkj99: In the SOL ecosystem, the asset protocol Drift Protocol was hacked and lost hundreds of millions. For anything involving funds, safety is always the top priority—especially in a bear market, where there will definitely be new protocols hacked. This world really is a huge makeshift operation; some protocols can even be hacked multiple times, and Drift is absolutely not the last one

• X platform user @lanhubiji: Drift Protocol suffered a major exploit with losses on the order of about $270 million, one of the largest DeFi attacks in 2026 so far. Some posts, said very seriously, “The Solana Foundation is coordinating a rollback with the servers in Toly’s (co-founder) basement.” It’s a meme, but that phrasing is a bit too much.

• X platform user @EnHeng456: In a bear market, keeping money really requires extra caution. The environment is becoming increasingly unsafe, and there are reports of hacks everywhere. Some older protocols also end up having problems specifically in bear markets. You can hardly tell whether it’s a hacker attack or “robbery while on guard.” I’ve been even more conservative lately—I just keep it honestly in USD1 and don’t put it all over the place anymore. In this kind of market, the more you tinker, the easier it is to run into problems. Sometimes not moving is the best choice. Drift got hacked for $8B and then it went straight into the general’s pocket.

IV. Impact of the Drift Protocol stolen-asset incident

The Drift Protocol incident involving $285 million stolen assets is the second-largest DeFi attack in Solana ecosystem history. Its impact far exceeds the protocol itself, dealing a severe blow to Solana ecosystem confidence and accelerating DeFi security reforms.

This attack exposed fatal flaws in DeFi projects regarding multisig permission management and oracle security. Permissions are the treasury. Once an administrator key is compromised, and without emergency stop mechanisms like time locks, even complex code logic can suddenly fail. For Drift Protocol, unless the funds are recovered or a major buyer steps in, it will head toward liquidation, bankruptcy, and lawsuits. For Solana and its ecosystem, it means a major hit to ecosystem reputation, short-term capital outflows and slower growth, and in the long run it forces security upgrades. And for the entire DeFi industry, it could be said to be a watershed moment: “permission security is more important than code security” becomes an iron law. Trust costs rise sharply, and DeFi will enter a new stage of more compliant, more transparent, and more centralized (security governance) development.