CTOLCTOL Solutions
CTOL Digital SolutionsCTOL Digital Solutions FRCTOL Digital Solutions DACHCTOL 디지털 솔루션希图科技シートーデジタル解決Soluções Digitais CTOLCTOL Soluciones Digitales
News
Services CIO/CTO AdvisoryCloud ComputingDigital Marketing and SalesData Science and Business IntelligenceGenerative AI for BusinessWeb3 and Defi for EnterpriseWeb and Mobile Apps DevelopmentDigital Business ConsultancyLegacy App ModernizationWeb Design and User Experience
Industries Aerospace and DefenseAutomotiveBankingCapital MarketsCommunications and MediaConsumer Goods and ServicesEnergyHealth and Health CareInternetManufacturingInsurancePublic & Social SectorRetailTravelTelecommunicationsPharmaPrivate Equity & venture CapitalEducationOil and GasReal EstateConstruction and Building MaterialLegal ServicesGastronomy and Hospitality
InsightsSoftwareAI Tools
Contact Us

Drift Protocol Hit by $280M Exploit: Lazarus Group Likely Behind This, Circle Facing Tough Questions

By
Minhyong
1 min read
Legal ServicesCapital MarketsCrypto

On April 2, 2026, we saw the recording of the second-largest hack in the history of Solana. It was an event that ended up destroying a lot of the institutional trust that had been built up around a major hub for DeFi. While a figure like $280 million is certainly staggering to look at, the actual damage to the reputation of the platform is something that is much harder to put a specific number on.

Back on April 1, 2026, the team at Drift had to post on X just to let everyone know that the unusual activity they were seeing wasn't just some kind of April Fool's joke. In a matter of only 12 minutes, the platform, which handles perpetual futures on Solana, lost somewhere between $280 million and $285 million. The people behind the theft walked away with $155 million in JLP tokens and another $60 million in USDC, and they managed to hit nearly 20 different vaults while touching about 20 different types of assets.

This wasn't just a case of someone getting lucky with an exploit. The attacker actually started their preparations as far back as March 23, when they set up four separate wallets using what are known as durable nonce accounts. This is a feature on Solana that allows a person to have pre-signed transactions that they can execute whenever they choose later on. Two of these wallets were ones that belonged to members of the Security Council at Drift, while the other two were under the direct control of the attacker. By making use of social engineering, they were able to get the multisig approvals they needed from two out of the five signers. Then on April 1, right as the team was carrying out a routine withdrawal from the insurance fund, the attacker sent out two of those pre-signed transactions just four slots apart. That move let them seize admin control, introduce a fake asset called "CVT" into the spot market, and push the withdrawal limit for USDC all the way up to 500 trillion. In just a few seconds, every internal safety measure the platform had in place was essentially gone.

If you look at the data from DefiLlama, it shows that the Total Value Locked, or TVL, dropped from $550 million down to about $247 million. There were some reports going around that said the remaining TVL was only $23.5 million, but that number was actually just a mistake where people were looking at the total from Drift’s Series A funding round in 2023. So while the protocol has definitely been damaged in a severe way, it hasn't actually been left empty.

Looking at the Lazarus Group and the Role of Circle

Elliptic has attributed the hack to the Lazarus Group out of North Korea, pointing to patterns in how the funds moved on-chain and how the money was laundered that are identical to other state-sponsored attacks they've seen. This would mark the 18th time just in the year 2026 that Elliptic has tracked a crypto theft with links to the DPRK, which brings the total for the year to over $300 million. They saw the thieves use Jupiter DEX to swap their assets for USDC before they bridged about 129,000 ETH—which is roughly $270 million—over to the Ethereum network through the CCTP protocol from Circle. After that, the funds were spread out across a number of different wallets.

Circle is currently facing a lot of criticism for not taking any action. The attacker actually held onto the stolen USDC for several hours before they finished bridging it, but Circle didn't do anything to freeze those funds. This stands in sharp contrast to what happened just a week before, when Circle froze 16 wallets that belonged to businesses tied up in a civil case in the U.S. ZachXBT, who investigates these things on-chain, was the one who pointed out how inconsistent this looks. As of now, Circle hasn't made any comments. For investors on the institutional side, this whole situation suggests that the policy Circle has for freezing funds is something they use at their own discretion. Now, any risk models for business partners will have to take that kind of unpredictability into account.

Why Governance Was Always the Real Product

Drift had raised a total of $52.5 million, which included a Series B round that took place in 2024. When you consider that they had $148.6 billion in total volume for perpetual trading and had brought in $61 million in fees, they were a rare example of what a mature financial brand looked like on Solana. They even had two different audits, including one from the team at Trail of Bits, both of which gave the platform a clean bill of health as recently as this past February.

The thing is, the audits and those volume numbers were actually secondary to what the real value of the protocol was, which was the perception that their governance was solid. That was a promise that ended up failing.

Drift was set up to function as a kind of "super app" that offered everything from perpetuals and spot trading to lending. This kind of complexity meant that the area where an admin could make changes grew faster than the team's own operational discipline could keep up with. When they were in the middle of a migration from their 3-out-of-5 multisig setup, they didn't manage to implement a timelock. That failure is what allowed the attacker to add the CVT market and jack up the withdrawal limits right away. Even though durable nonces are a standard feature on Solana, they turned into a vulnerability here because the protocol didn't have enough procedural checks in place for that kind of delayed admin authority.

The value of the DRIFT token has fallen by nearly 40% and it’s now trading somewhere between $0.04 and $0.05. That puts its market cap in the range of the mid-$20 millions. For the most part, the lockup periods for the early investors have already passed. This isn't what you'd call a "buy the dip" opportunity. Instead, DRIFT is now what you'd describe as a distressed asset. It’s basically an option on whether some kind of restructuring can happen, and in that scenario, it’s likely that the users and the creditors will be prioritized in any recovery plan, rather than the people who hold the token.

The hack at Drift is going to force a repricing across the entire DeFi sector. We're in a situation where audits are no longer seen as a proxy for safety, and the "decentralized" label is no longer a replacement for a real control architecture. It’s likely that investors will start to differentiate between protocols that have professional-grade controls—things like timelocks, simulated transactions, and separated approval domains—and those that are relying solely on having "clean code." You might see SOL recover its price faster than the governance multiples of the apps built on Solana do. At the same time, the reputation that Circle has as a neutral piece of infrastructure has been damaged. It feels like the primary risk in the DeFi space has shifted away from simple code bugs and toward the compromise of privileged access, which is a problem you can't just patch with a software update.

not investment advice

Sources: https://x.com/DriftProtocol/status/2039404931778535427

You May Also Like

This article is submitted by our user under the News Submission Rules and Guidelines. The cover photo is computer generated art for illustrative purposes only; not indicative of factual content. If you believe this article infringes upon copyright rights, please do not hesitate to report it by sending an email to us. Your vigilance and cooperation are invaluable in helping us maintain a respectful and legally compliant community.

Subscribe to our Newsletter

Get the latest in enterprise business and tech with exclusive peeks at our new offerings

We use cookies on our website to enable certain functions, to provide more relevant information to you and to optimize your experience on our website. Further information can be found in our Privacy Policy and our Terms of Service . Mandatory information can be found in the legal notice