$285 million, the largest on-chain attack of the year, or still the age-old private key issue
On April 1, 2026, at 4:00 PM UTC, the Drift Protocol Treasury's total assets were $309 million. One hour later, only $41 million remained.
This is not an April Fools' joke. The Drift team had to make it clear themselves — "This is not an April Fools' joke." But when faced with on-chain data, the only difference between a joke and a disaster is whether the money is still there.
What Happened
Around 4:00 PM UTC on April 1, blockchain monitoring agencies LookIntoChain and PeckShield almost simultaneously captured abnormal signals: a wallet, HkGz4K..., created just eight days ago, began massively transferring assets from multiple Drift treasuries. The first transaction involved 41.7 million JLP tokens valued at approximately $155.6 million.
The attacker systematically emptied Drift's JLP Delta Neutral, SOL Super Staking, and BTC Super Staking core treasuries, involving over 15 different tokens — USDC, SOL, cbBTC, wBTC, liquidity pool tokens, and even the meme coin Fartcoin was not spared. Approximately $270 million to $285 million in assets were drained in one hour.

PeckShield provided a preliminary assessment: administrator private key leak. The attacker obtained the protocol's privileged management key, allowing them not only to invoke the treasury withdrawal function but also to change the administrator key itself — equivalent to changing the lock and leaving the original owner locked out. The Drift team couldn't even urgently freeze the contract after the attack occurred.
This is the oldest form of attack. Not a flash loan arbitrage, not oracle manipulation, not smart contract logic vulnerability. It's simply a case of a key falling into the wrong hands.
Attacker's Retreat Route
More noteworthy than the intrusion is the attacker's exit strategy.
After siphoning the assets, the attacker swiftly converted various tokens to USDC via the Jupiter Aggregator and then bridged to Ethereum. As of UTC 5:49 PM, the attacker had purchased 19,913 ETH (approximately $42.6 million); by 6:17 PM, this number had doubled to 38,820 ETH (approximately $82.66 million). Simultaneously, another portion of SOL was directly deposited into Binance and HyperLiquid.
Multi-chain decentralization, multi-platform off-ramping, real-time hedging. This is not a spur-of-the-moment hacker, but a carefully rehearsed exit plan.
The Gravity of Drift
Drift is not an obscure protocol.
Co-founded by Cindy Leow and David Lu in 2021, it is the largest decentralized perpetual contract exchange in the Solana ecosystem. In early 2024, Polychain Capital led a $23.5 million Series A funding round, bringing the total funding to $52.3 million. As of the incident, Drift had a cumulative trading volume exceeding $55 billion, a total locked value surpassing $1 billion, and over 200,000 active traders.
In a 2024 interview with Fortune, Cindy Leow said she wanted to make Drift the "Robinhood of the crypto world." Now, this analogy has acquired a new, less favorable connotation—Robinhood froze user trading during the 2021 GameStop incident, while Drift had its own administrative powers frozen by attackers.
This also marks the largest security incident in the Solana ecosystem since the $325 million hack of the Wormhole cross-chain bridge in 2022.
The Age-Old Issue of DeFi Security
Placing the Drift incident in the annals of history, the scene is all too familiar.
In 2022, the Ronin Bridge was hacked for $625 million—compromised validator node keys. In February 2025, Bybit was breached for $1.4 billion—an injection of malicious code into the Safe{Wallet} frontend, essentially still a breakdown in the key management chain. Now, it's Drift, following the same script: compromised administrator keys, protocol compromised.
The $285 million stolen ranks around fifth or sixth on the DeFi hacks leaderboard. But the magnitude is no longer the focal point. The central point is that decentralized protocols repeatedly falter at the same juncture—not in code logic, not in cryptography, but in who holds the key to everything and how.
A perpetual contract protocol sells permissionless financial freedom. However, when a single admin key can empty all vaults within an hour, who exactly do the four words "permissionless financial freedom" protect?
Aftermath and Suspense
The Drift team quickly halted the deposit/withdrawal functionality post-incident and stated they were coordinating with "multiple security firms, cross-chain bridges, and exchanges" to track the funds. However, as of the time of writing, there has been no news of any funds successfully being frozen or recovered.
The DRIFT token plunged over 25% after the news broke, dropping from around $0.072 to $0.055. DeFi Development Corp. (a company holding a significant amount of SOL listed on DAT) promptly clarified that they had no association with Drift.
The attacker's wallet remains active. On-chain data shows that the assets are still being continuously swapped and dispersed. This is an ongoing exit scam.
Several key questions remain unanswered: How was the admin private key leaked? Was it due to operational oversight, a social engineering attack, or insider involvement? The attacker created a wallet eight days before the incident and conducted small transactions on OKX and Jupiter—was this a probe or part of a larger plan? Is there a possibility of the funds moved to centralized exchanges being frozen?
On April 1st, a wallet created just eight days prior unlocked the entire treasury of the largest perpetual contracts platform on Solana with a single admin key. The entire process took less than an hour. On-chain, the relationship between locks and keys has never been merely metaphorical.
You may also like
Strategy Founder: The Next 10 Years of Bitcoin
Forbes Special Report: Stablecoin cross-border payments are faster now, but not cheaper yet
Li Feifei's latest long article: When video generation, robots, and NVIDIA all claim to be world models, we need a taxonomy
Blaming the desolation of the cryptocurrency world on the rise of AI is a form of intellectual laziness
The impact of OUSD on Circle, Tether, and Paxos: not a single negative factor, but a more complex reshaping of competition
A valuation of 8 billion dollars, doubling in 8 months! What makes the crypto-friendly bank Erebor Bank stand out?
340 billion valuation: Li Yanhong's largest IPO, a seat in Kunlunxin's shares is hard to come by
Stablecoins are the "royalists" of the crypto world: Open USD brings the old currency system into play
Cape Verde 2-3 Argentina: The Underdog Team That Stunned the World in Defeat
Cape Verde's run ended in a 3-2 defeat to Argentina, but their journey — three unbeaten draws, one heroic goalkeeper, and a fight that pushed the defending champions to the brink — is the kind of story markets recognize too: small caps can rattle blue chips long before anyone expects it.
Semiconductor stocks plummet, yet Anthropic wants to create a 2nm chip
Where is Zhao Changpeng's billion-dollar investment going? YZi Labs' investment landscape fully revealed
Ethereum Foundation Report: A Basic Guide to Ethereum for Governments and Financial Institutions
A pre-announced harvesting case: After the cryptocurrency price dropped by 99%, the public chain Saga exited to transform into AI
When American giants collectively "defect" from Chinese AI models
BIS Report Compliance Observation: The Real Risks of Stablecoins, Not Just "Depegging"
Portugal 2-1 Croatia: Ronaldo's 20-Year Knockout-Stage Drought Ends With a Debt Finally Collected
Portugal beat Croatia 2-1 in the 2026 global football championship's knockout rounds as Ronaldo scored his first-ever knockout-stage goal, Gonçalo Ramos struck a stoppage-time winner, and VAR ruled out a late equalizer for offside.



