On April 1, 2026, Drift Protocol, the largest decentralized perpetual futures exchange on Solana, suffered a devastating $285 million exploit in what security firms are calling the most sophisticated DeFi attack of the year. The attack, which TRM Labs and Elliptic have attributed to North Korean hackers, involved a meticulously planned three-week operation combining social engineering, oracle manipulation, and governance hijacking. The attackers began staging on March 11 with a 10 ETH withdrawal from Tornado Cash, then created a fake token called CarbonVote (CVT) with minimal liquidity that they wash-traded for weeks to establish a false $1.00 price.
The actual exploit occurred in just 12 minutes, with hackers using compromised administrative keys and Solana's 'durable nonces' feature to pre-sign transactions weeks in advance. They bypassed Drift's multisig security by socially engineering signers into pre-approving hidden authorizations and eliminated the protocol's timelock protections. The fake CVT token was listed as legitimate collateral worth hundreds of millions, allowing the attackers to drain the protocol's core vaults. The stolen funds were immediately bridged to Ethereum and converted to stablecoins, with the laundering speed exceeding even the notorious 2025 Bybit exploit.
The attack's impact extended far beyond Drift itself, affecting over 20 connected protocols in the Solana ecosystem. Drift's total value locked collapsed from $550 million to under $250 million within hours, while the DRIFT token plummeted over 40%. Connected protocols like Carrot Protocol paused operations after losing 50% of their TVL, Pyra Protocol disabled all withdrawals, and Prime Numbers Fi reported millions in losses. This represents the largest DeFi hack of 2026 and the second-largest in Solana's history, behind only the 2022 Wormhole bridge hack.
