April Fool’s Day Nightmare: Drift Protocol Drained by $285 Million Exploit Linked to North Korean Actors

April Fool’s Day Chaos As Drift Protocol Loses $285 Million

What first looked like an unusual on-chain movement quickly turned into one of the largest crypto exploits of 2026, as Drift Protocol saw more than half of its total value locked wiped out within minutes.

The Solana-based perpetuals exchange confirmed an “active attack” soon after alerts surfaced, urging users on X to stop interacting with the platform and stressing the incident was “not an April Fool’s joke”.

Within roughly 12 minutes, over $285 million in assets, including USDC, SOL, JLP and WBTC, had been drained.

Drift’s TVL plunged from about $550 million to below $300 million, while its DRIFT token fell more than 40% during the incident.

Contagion Spreads Across Solana DeFi Ecosystem

The fallout extended rapidly beyond Drift, as multiple protocols with exposure moved to limit damage.

Jupiter Exchange said its JLP pool remained fully backed, helping steady sentiment.

Elsewhere, platforms including Defi vaults PiggyBank, Stablecoin Protocol Reflect Money and Solana-based perpetuals aggregator Ranger Finance paused key functions or assessed losses.

PiggyBank disclosed around $106,000 in exposure and covered users with team funds, while Ranger Finance halted RGUSD activity with potential exposure exceeding $900,000.

Reflect Money suspended minting and redemptions for its stablecoin products but confirmed its insurance coverage remained intact.

Other protocols, including TradeNeutral, GetPyra and Elemental DeFi, temporarily restricted features while running security checks.

How A Fake Token Became Real Money

The exploit relied less on code flaws and more on manipulation of trust mechanisms.

In the weeks leading up to the attack, the perpetrator created a fake asset named “CarbonVote Token” (CVT), minting roughly 750 million tokens.

A small liquidity pool, around $500, was seeded on Raydium, with wash trading used to simulate a stable price close to $1.

That artificial pricing was gradually picked up by oracles, giving the illusion of legitimacy.

On 1 April 2026, a compromised admin key was used to list CVT on Drift as a valid market.

At the same time, withdrawal limits were lifted to extreme levels, effectively removing safeguards.

The attacker then deposited large amounts of CVT as collateral.

Because of the manipulated price feeds, the position appeared highly valuable, allowing 31 rapid withdrawals of real assets.

Six Months Of Infiltration Behind The Scenes

Drift later revealed the breach was not sudden, but the result of a long-running social engineering campaign.

The attackers reportedly approached contributors as early as October 2025 at a major crypto conference, posing as a quantitative trading firm interested in integration.

Over months, they built credibility through repeated in-person meetings and technical discussions.

The team said,

“They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated.”

The group eventually gained trust, introducing malicious tools and links that compromised contributor devices.

Evidence suggests malware may have been delivered through a shared code repository or a TestFlight app disguised as a wallet product.

Drift described the operation as “a structured intelligence operation requiring organisational backing, significant resources, and months of deliberate preparation.”

Links To Earlier Hacks Raise Alarms

With support from security teams, Drift said it has “medium-high confidence” the attack is linked to the same actors behind the Radiant Capital Hack October 2024.

That earlier incident involved malware distributed via Telegram, attributed to a North Korea-aligned group.

Drift noted similar patterns in both fund flows and operational tactics.

While the individuals encountered at conferences were not North Korean nationals, the protocol said such actors often rely on intermediaries for face-to-face engagement.

Investigations are ongoing, with Mandiant leading forensic analysis.

Funds Moved Fast As Criticism Mounts

After the exploit, assets were consolidated, swapped into USDC and SOL, and partially bridged to Ethereum via Circle’s Cross-Chain Transfer Protocol.

On-chain investigator ZachXBT criticised the response, saying:

“Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours. Value was moved and nothing was done yet again.”

He argued that the firm had both the ability and precedent to freeze funds but failed to act quickly enough, contrasting it with earlier enforcement actions in unrelated cases.

Governance Gaps And Missed Safeguards Exposed

Investigators found the exploit was enabled by a mix of governance weaknesses and operational gaps.

A multisig setup had reportedly been changed to a 2/5 structure weeks earlier without a timelock, while recent updates, including the CVT listing, were not fully stress-tested.

https://x.com/DriftProtocol/status/2040611161121370409

Despite passing audits by Trail of Bits in 2022 and ClawSecure in February 2026, these changes created an opening that the attacker exploited.

Drift has since frozen protocol functions, removed compromised wallets, and flagged attacker addresses with exchanges and bridge operators as recovery efforts continue.