On April 1, 2026, attackers drained approximately USD 285 million in user assets from Drift Protocol, the largest decentralized perpetual futures exchange on Solana. TRM's initial investigation suggests the hack was likely perpetrated by North Korean hackers. The attack did not begin on April 1, as on-chain staging began weeks earlier, on March 11th, with a single withdrawal of 10 ETH from Tornado Cash. The attacker manufactured an entirely fictitious asset called CarbonVote Token with a few thousand dollars in seeded liquidity and wash trading, and Drift's oracles treated it as legitimate collateral worth hundreds of millions of dollars. The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol's last line of defense.