Attack Drains Hundreds of Millions in Minutes
Drift Protocol has been hit by a devastating exploit, with losses estimated at over $270 million in liquidity within a very short timeframe. What initially appeared as suspicious on-chain activity quickly escalated into one of the largest DeFi attacks of the current crypto cycle.
The exploit was first flagged by Mert Mumtaz, who noticed abnormal outflows and called for immediate investigation. Within just an hour, the protocol had lost nearly 50% of its total liquidity, confirming the scale of the breach.
We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke. Proceed with caution until further notice. We’ll provide additional updates from this account.
— Drift (@DriftProtocol) April 1, 2026
We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke. Proceed with caution until further notice. We’ll provide additional updates from this account.
— Drift (@DriftProtocol) April 1, 2026
Full Account Control Enabled the Drain
Early signs point to a critical compromise that gave the attacker near-complete control over a Drift account. This allowed them to systematically drain multiple asset pools without immediate resistance.
The attacker moved a wide range of assets, including Solana, USDC, Wrapped Ether, and wrapped versions of Bitcoin, along with several ecosystem tokens tied to the platform.
One of the most alarming signals came from a transaction involving 10,000 SOL sent to a fresh wallet, followed by continuous draining activity across additional supported assets. The attacker even minted a new token mid-exploit, seemingly to mock the protocol and demonstrate control.
Drift Protocol confirmed the breach and warned users to stop interacting with the platform immediately, while Phantom Wallet temporarily blocked access to limit further exposure.
Funds Rapidly Laundered Across Chains
The attacker wasted no time moving funds through multiple layers of DeFi infrastructure. Assets were quickly routed through cross-chain and liquidity platforms, including swaps into USDC via ChainFlip and transfers through Solana-based venues such as Raydium, Orca, and Meteora.
Some funds were bridged to Ethereum wallets, likely preparing for mixing and further obfuscation. While stablecoins like USDC could theoretically be frozen by issuer Circle, the speed of execution significantly reduces recovery chances unless immediate action is taken.
A Carefully Planned Exploit
Evidence suggests the attack was highly coordinated and prepared in advance. On-chain researchers identified test transactions conducted roughly a week before the exploit, indicating that the attacker had already mapped out vulnerabilities.
The exploit appears to have involved admin-level access, allowing the attacker to change critical permissions and effectively lock out the Drift team during the incident. This prevented any real-time mitigation and enabled uninterrupted draining of funds.
Bigger Than Previous DeFi Hacks
The scale of the attack puts it ahead of recent major exploits. It surpasses the 2025 breach of Cetus Protocol, which resulted in losses exceeding $223 million.
Before the incident, Drift Protocol held more than $550 million in total value locked and facilitated around $70 million in daily trading volume, making it a prime target for attackers seeking high-impact exploits.
Token Impact and Ecosystem Risk
The market reacted immediately. DRIFT dropped around 10%, reflecting the loss of confidence and ongoing uncertainty surrounding the protocol’s recovery.
The attacker now controls portions of multiple assets, including a notable share of FARTCOIN supply, raising concerns about further price manipulation and cascading effects across connected DeFi protocols. Wrapped assets like BTC and ETH could also create pricing imbalances if dumped aggressively.
Security Gaps Under Scrutiny
Post-incident analysis revealed critical weaknesses in Drift’s setup. The protocol reportedly lacked a CertiK audit, and governance vulnerabilities may have opened the door to the exploit.
While audits are not foolproof, they often eliminate obvious attack vectors, and their absence has now become a focal point in the investigation.
DeFi Remains a High-Risk Battlefield
This exploit highlights a harsh reality-DeFi is still highly vulnerable despite growing maturity. Even large, well-used protocols with significant liquidity can fall victim to sophisticated attacks, especially when governance or access controls are compromised.
