TL;DR
- On April 1, 2026, Solana’s Drift Protocol was drained of $285 million (over 50% of its TVL) in a highly coordinated attack likely linked to North Korean (DPRK) actors. Preliminary on-chain indicators are consistent with previously attributed DPRK operations, though formal attribution remains pending.
- According to Drift’s post-mortem, which has not yet been independently verified by a completed third-party investigation, attackers spent months building relationships with the Drift team. The attackers then used Solana’s “durable nonces” feature to get Drift Security Council members to unknowingly pre-sign transactions that eventually handed over admin control.
- Once in control, the attackers whitelisted a worthless, artificially priced fake token (CVT) as collateral. They deposited 500 million CVT and used it to withdraw $285 million in real assets like USDC, SOL, and ETH.
- Because the transactions used valid admin signatures, standard security didn’t flag them. The incident highlights the need for pre-execution evaluation tools, like Hexagate’s GateSigner, which evaluate the intent of transactions to block abnormal activity in real-time.
On 1 April, 2026, Drift Protocol, the largest DeFi protocol on the Solana network, suffered the largest hack of the year so far and the second largest security failure in Solana’s history. Beginning at approximately 16:05 UTC on 01 April 2026, an attacker gained admin control of the Drift protocol and proceeded to drain an estimated $285 million from its vaults over the following hours, wiping out more than 50% of its total value locked (TVL).
Strong signals from Drift’s investigation so far indicate that the attack is linked to actors associated with the Democratic People’s Republic of Korea (DPRK), though this is yet to be confirmed. If it is confirmed, this incident would be part of a broader DPRK campaign that has extracted billions from the crypto ecosystem in recent years.
But what’s now becoming clear is that this was a long-term, highly coordinated operation. On-chain evidence confirms that staging began as early as March 10-11, 2026, when funds were withdrawn from Tornado Cash to help finance part of the attack infrastructure. According to findings shared by Drift, the social engineering campaign may have begun as early as Fall 2025.
Once the initial planning stages were complete, the attackers gained control over the administrative permissions of the protocol’s Security Council. The Security council is a small group of trusted individuals who hold multi-sig signing privileges. Once that happened, the rest of the attack unfolded to devastating effect.
As DeFi infrastructure grows more layered and operationally complex, incidents like this highlight that the greatest risks are no longer just in smart contracts, but in the systems, and people, that surround them.
How the attack played out
The following account is based on Drift’s own investigation and has not yet been independently verified as of the time of publication.
Step 1. Months of planning
Individuals posing as a quantitative trading firm approached Drift contributors at major crypto conferences, initiating what appeared to be legitimate integration discussions. Over the following six months, they maintained ongoing contact across Telegram, working sessions, and in-person meetings at multiple global events.
The threat actors acted like real users by onboarding a vault on Drift, deposited over $1 million of capital, participated in detailed strategy and product discussions, and built trust over time with multiple contributors. This was relationship-building designed to gain proximity and credibility inside the ecosystem while clandestinely infiltrating Drift’s systems through social engineering methods. Drift’s investigation suggests that the potential mechanics and multiple possible intrusion vectors are tied to these social engineering techniques.
Step 2: Creating the fake ‘CVT’ token
Weeks before the attack, on March 12, the attacker created a fake token called CarbonVote Token (CVT), of which they controlled around 80% of the supply, which meant that they could fully control how it behaved.
Then, they created a small trading pool with around $500 of real liquidity and traded CVT back and forth between their own wallets to create the illusion of real market activity and a stable price of around $1. To an outside system, this looked like a token with real demand and a real price.
This fake activity was then picked up by a price oracle (which the attacker also controlled), and that oracle started reporting CVT as being worth around $1. From the protocol’s perspective, CVT had a price, a trading history, and looked like a legitimate asset.
Step 3: Exploiting Solana’s ‘Durable Nonce’ system
Between March 23 and 30, 2026, the attacker prepared the next stage, using a feature on Solana called durable nonces.
In simple terms, durable nonces allow transactions to be signed in advance and executed later offline, sometimes days or even weeks after the original signature. Think of it like signing a check today and leaving it somewhere to be cashed later.
The attacker created several of these “delayed transactions” and then, through social engineering, got real Drift Security Council members to sign them. At the time, these transactions appeared harmless or routine. But in reality, these transactions contained instructions to transfer administrative control of the protocol to an attacker-controlled address. Instead of stealing keys directly, the attacker got legitimate signers to unknowingly pre-approve the attack in advance.
Here’s how it likely unfolded:
- On March 23, the attacker created multiple durable nonce accounts, some tied to legitimate Drift Security Council members.
- Through social engineering, at least two council members signed transactions they did not fully understand (a classic case of blind signing).
- On March 26, Drift migrated to a new 2/5 threshold Security Council multisig with zero timelock, eliminating the delay window that could have allowed detection and intervention. On-chain records show that the attackers obtained signatures from signers on the new multisig as well, re-establishing the 2/5 quorum needed for admin actions.
- On April 1, the attacker triggered the pre-signed durable nonce transactions. Because they were already validly signed by authorized signers, the network treated them as legitimate. The attackers didn’t need to break the system at the moment of execution, since they had already done the hard work days earlier.
On April 1, 2026 at 16:05:18 UTC, the first pre-signed transaction was submitted, a proposal to transfer the admin key to attacker-controlled address, H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL.
One second later, at 16:05:19 UTC, the second transaction approved and executed it. Within two transactions, executed just one second apart, the attacker had full administrative control. Withdrawal limits were removed, vault permissions were overridden, and funds began moving.
Step 4: Drain real funds using fake collateral
With admin-level control, the attacker initiated withdrawals that appeared legitimate. And because the transactions were signed with valid authority, there were no on-chain safeguards to stop them.
Once the attacker had full control, the next move was to add their fake asset as usable inside the system but with very deliberate configurations that included allowing CVT to be used as collateral, setting borrowing limits extremely high, and loosening risk parameters to a point that the system wouldn’t question its value. The protocol accepted these changes without resistance, since every action came from a validly authorized admin key.
With the protocol reconfigured, the attacker deposited 500 million CVT. Because of the artificial price they had carefully manufactured weeks earlier, the system believed this deposit was worth roughly $500 million. On the surface, everything checked out — the token had a price and a trading history, and the collateral appeared sufficient.
From there, the attacker began withdrawing real assets in a sustained sequence of transactions across multiple vaults. At least 18 different token types were drained, including USDC ($71.4 million), JLP ($159.3 million), cbBTC ($11.3 million), USDT ($5.6 million), USDS ($5.3 million), WETH ($4.7 million), dSOL ($4.5 million), WBTC ($4.4 million), FARTCOIN ($4.1 million), JitoSOL ($3.6 million), and several other assets.
The initial burst of the largest withdrawals occurred within the first few minutes, but on-chain evidence shows that drainage transactions continued for approximately 2.5 hours, with the last confirmed drain at 18:31 UTC.
Even as the drainage was still underway, the attackers began moving funds off Solana:
- Tokens were swapped into USDC
- Funds were bridged to Ethereum with the first bridge arrival approximately 23 minutes after the admin takeover
- Assets were consolidated through decentralized exchanges and then converted into ETH
This overlapping sequence of drainage and laundering demonstrated a high degree of operation coordination and made real-time intervention significantly more challenging.
A ripple effect across the ecosystem
While Drift was the primary target, the consequences didn’t stop there. Due to the interconnected nature of Solana DeFi, the incident spread outward, and other protocols that rely on Drift’s liquidity, vaults, or strategies were also exposed.
As of the time of this writing, at least 20 protocols have reported disruptions, pauses, or losses. Many of these teams paused functionality while assessing their exposure, and some began exploring user reimbursements.
Where real-time defense could have made a difference
Incidents like this highlight the limits of manual intervention. Even when an exploit unfolds over hours rather than seconds, the initial admin takeover can be irreversible once executed. This is exactly where real-time on-chain threat detection and response systems like Hexagate come into play.
Real-time monitoring could flag:
- unusual admin-triggered withdrawals;
- rapid, repeated high-value transactions;
- and activity patterns inconsistent with normal operations.
But detection alone isn’t enough. Automated responses are also crucial in preventing the impact of attacks. With automated controls in place, it’s possible to:
- pause contracts when critical thresholds are exceeded, such as rapid large-scale withdrawals across multiple vaults.
- block suspicious transactions;
- and trigger circuit breakers on abnormal activity.
In Drift’s case, the absence of automated controls meant that, even though vault drainage continued for over two hours, no circuit breaker was triggered. Automated pre-execution checks could have flagged or blocked the abnormal admin transfer before the drainage ever began.
How GateSigner could have stopped this type of attack
What made the Drift exploit so effective is that nothing looked obviously malicious. Every action was technically valid and even the collateral appeared legitimate. This is precisely the kind of scenario where Hexagate’s GateSigner adds a critical layer of defense.
Instead of only checking who signed a transaction, GateSigner evaluates what the transaction is doing before it executes.
In the case of Drift, even though the attacker had obtained legitimate signatures, the underlying intent of those transactions was highly abnormal. GateSigner can be configured to act on these signals in real time. For example, it could:
- block or require additional approvals for sensitive admin actions, such as transferring protocol authority to a newly created address;
- reject transactions involving suspicious or newly listed collateral — in Drift’s case, CVT had been created just 20 days earlier, had virtually no real liquidity, and was suddenly whitelisted with extreme borrowing limits;
Learn more about how Hexagate’s real-time on-chain threat detection monitors and automated response can help protect you from being a victim of the next big heist, or request a demo today.
FAQs
How did the attackers gain admin control of Drift Protocol?
According to Drift’s findings, the attackers spent months posing as a quantitative trading firm to build trust with Drift contributors. They then exploited Solana’s “durable nonces” system — a feature allowing transactions to be signed for later execution — to trick legitimate Security Council members into blindly pre-signing dormant transactions. When triggered, these transactions silently transferred admin control to the attackers.
What was the CVT token and how was it used to steal funds?
CVT (CarbonVote Token) was a fake asset created by the attackers on 12 March 2026, with a total supply of 750 million tokens. They seeded a small Raydium liquidity pool and wash-traded CVT to anchor its price at ~$1, while also deploying a price oracle they controlled to feed that artificial price to Drift After gaining admin control of Drift, they changed the protocol’s parameters to accept CVT as collateral with infinite borrowing limits. They deposited their worthless CVT and drained real assets against it.
Did this hack impact other protocols on Solana?
Yes. Due to the highly interconnected, composable nature of DeFi, the exploit had a massive ripple effect. At least 20 other protocols that relied on Drift’s liquidity, strategies, or vaults experienced disruptions, pauses, or direct financial exposure.
Could this hack have been stopped if the signatures were technically valid?
Yes, if the protocol had utilized real-time, intent-based security. Solutions like Hexagate’s GateSigner evaluate what a transaction does before it executes, rather than just checking who signed it. GateSigner can flag abnormal intent, such as sudden extreme parameter changes or suspicious new collateral, and block the transaction.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and assumes no obligation to update any forward-looking statements to reflect any circumstances that may arise after the date such statements are made, and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
