Solana-based crypto trade Drift Protocol was hacked for roughly $280 million yesterday as a part of a weeks-long operation that possible used social engineering to compromise a number of multisig signers’ approvals.
On April 1, 7 pm UTC+1 time, Drift introduced that there was “unusual activity” on the protocol and that customers ought to keep away from depositing funds. It confused, “This is not an April Fools joke.”
This adopted from X customers elevating alarms that Drift was being exploited and that it was going to be a considerable one.
Drift then confirmed that it was underneath an ongoing assault and that it could must droop deposits and withdrawals. Researchers started to take a position that Drift’s personal keys have been compromised.
Drift Protocol is experiencing an energetic assault. Deposits and withdrawals have been suspended. We’re coordinating with a number of safety companies, bridges, and exchanges to comprise the incident. This isn’t an April Fools joke. We’ll present extra updates from this account as… https://t.co/03SRPq4fHj
— Drift (@DriftProtocol) April 1, 2026
Drift has since shared an in depth timeline of what befell and the way.
It stated, “This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.”
It claims the assault was not brought on by a bug in Drift’s applications or sensible contracts, there was no proof of compromised seed phrases, and that the assault concerned unauthorized transaction approvals earlier than the hack’s execution.
Nonetheless, it admitted that these approvals have been possible facilitated by a social engineering assault towards its employees and the manipulation of “durable nonce mechanisms.”
What went down with Drift
Sturdy nonce mechanisms are a sort of blockchain software that may bypass blockhash signing and facilitate offline translation signing.
Drift claims that on March 23, 4 sturdy nonce accounts have been created, two of which have been related to Drift Safety Council multisig members and two related to attacker-controlled accounts.
Under is the timeline of occasions.
March 23: Preliminary Nonce Setup
4 sturdy nonce accounts have been created:
– Two related to Drift Safety Council multisig members
– Two related to attacker-controlled accounts
Related accounts:
a.…
— Drift (@DriftProtocol) April 2, 2026
Then, on March 27, “Drift executed a planned Security Council migration due to a council member change.”
Three days later, one other sturdy nonce account was created for a member of the up to date multisig, giving the attackers “effective access to 2/5 signers in the updated multisig.”
Day of execution
Drift claims that on April 1, it executed a take a look at withdrawal from the insurance coverage fund. The attacker then, with entry to the multisig approvals, executed “a malicious admin transfer within minutes, gaining control of protocol-level permissions.”
Attackers might then, “Use that control to introduce a malicious asset and remove all pre-set withdrawal limits attacking existing funds.”
Drift’s associate Circle hasn’t frozen funds
The incident has drawn criticism from the crypto investigator ZachXBT, who took problem with the stablecoin agency Circle and its sluggish efforts to freeze the stolen funds.
Drift built-in Circle’s Cross-Chain Switch Protocol (CTTP) in 2023. ZachXBT famous that “Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.”
“6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack,” he stated.
Different customers have taken problem with the classification of the protocol as “decentralized,” after the assault seems to have exploited centralised mechanisms.
Different customers have been irritated that Drift solely required two out of the 5 multig approvals to motion the transaction.
there it’s
there’s the perpetrator
2/5 multisig for a 500M TVL with no time lock is loopy
you’d suppose it’s 4/5 multisig however nah man these groups are loopy after which they’ll provide you with a extremely technical bs to clarify why after customers funds are gone
— tobi (@tobific) April 2, 2026
The platform stated that it was working alongside safety companies, legislation enforcement, bridges, and exchanges to determine what occurred and freeze the stolen property. It added {that a} extra detailed report will arrive within the coming days.
The Chief Know-how Officer for Ledger has already speculated that the occasions of the hack resemble an identical modus operandi “to the Bybit hack last year, widely attributed to DPRK-linked actors.”
Protos has reached out to Drift for remark and can replace this piece ought to we hear something again.
