Key Highlights
Drift was hit by a major exploit on April 1, with public estimates putting losses at roughly $270 million to $285 million.
Early reporting indicates the attacker gained control over governance-related signing authority and used durable nonce transactions to execute pre-signed instructions after the compromise.
As of April 2, no official public attribution to Lazarus or North Korea had been confirmed by Drift, law enforcement, or a named Elliptic report.
Drift Protocol is facing one of the biggest DeFi exploits of 2026 after attackers drained an estimated $270 million to $285 million from the Solana-based platform on April 1. Drift said it was investigating unusual activity and later confirmed an active attack, while deposits and withdrawals were suspended as the team worked with security firms, bridges, and exchanges.
Early reporting points to a compromise of privileged access rather than a bug in Drift’s core code. The exploit relied on Solana’s durable nonce feature, which lets transactions be signed in advance and executed later. In this case, investigators cited in coverage said that the capability allowed malicious transactions to be queued before detection and executed once the attacker had the required control.
Public estimates of the stolen assets vary because Drift has not yet published a full postmortem or wallet-by-wallet reconciliation. DefiLlama’s hack tracker listed the incident at about $285 million, while other reports cited figures closer to $270 million. Coverage also pointed to large losses in assets, including USDC and JLP, though exact totals may still change as the investigation continues.
