TL;DR
- Drift Protocol confirmed an active attack on April 1, 2026, with losses estimated between $200 and $285 million
- Over 50 percent of the platform's Total Value Locked (TVL) disappeared during the attack
- The attacker quickly swapped stolen assets to stablecoins, bridged to Ethereum, and purchased ETH
- The DRIFT token fell around 25 percent in the wake of the news
"This is No April Fool's Joke"
On Tuesday, April 1, 2026, Drift Protocol sent a message many hoped was a joke. It wasn't. The Solana-based decentralized exchange confirmed via its official X account that the platform was under active attack, and that deposits and withdrawals were suspended until further notice. "This is not an April Fools joke," the message stated, according to CoinDesk.
The protocol announced that it is collaborating with several security companies, bridges, and exchanges to limit the extent of the damage.
Attacker Prepared Eight Days in Advance
According to on-chain analysis reported in the aftermath of the incident, the main attack wallet was created a full eight days before the attack itself. The wallet reportedly had interactions with OKX and the Jupiter aggregator before remaining inactive until shortly before the attack was triggered. This suggests careful pre-planning rather than an opportunistic hack.
The funds were traced to a Solana wallet with the address HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES. The attacker used Jupiter to quickly exchange stolen assets — including JLP tokens, USDC, cbBTC, USDT, USDS, and Jito (JTO) — into stablecoins, before bridging them to the Ethereum network. According to available reports, the attacker at one point held 19,913 ETH, equivalent to approximately $42.6 million.
One of the largest single transfers in the attack was 41.7 million JLP tokens worth an estimated $155 million.
Cause Not Determined
Blockchain security company PeckShield informed Recorded Future News that losses exceeded $285 million. Blockchain security researcher Vladimir S. estimated losses at up to $200 million and stated that the attack was likely due to a private key leak — but this has not yet been confirmed by Drift Protocol itself.
Other unconfirmed theories circulating on social media include that an administrator key may have been compromised, which could have allowed the attacker to manipulate security settings and artificially inflate the value of a low-liquidity asset. This inflated asset would then have been used as collateral to borrow high-value tokens and drain liquidity pools.
On-chain data indicates that the attack affected several vaults within the protocol, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. It is important to emphasize that the technical details are still under investigation, and none of these mechanisms have been officially confirmed.
Solana's Security Image Under Pressure
The incident once again highlights the security challenges in Solana's DeFi ecosystem. The network has experienced strong growth in recent years — TVL surpassed $10 billion in January 2025 and daily active users were around 3.8 million in March 2026, according to available data. Solana accounted for 81 percent of all DEX trading in the crypto industry in 2024.
But with growth comes exposure. Previous security incidents in the Solana ecosystem include the $320 million Wormhole hack in 2022 and a compromise of the Raydium protocol's administration key in the same year. Mert Mumtaz, CEO of Solana developer platform Helius, quickly took to X to warn traders to "monitor their positions" in the wake of the Drift incident.
Drift Protocol itself had a technical incident in May 2022 where a vulnerability allowed profit withdrawals without covering losses — a problem that was addressed with the launch of Drift v2. The April 2026 attack is considered a separate and far more serious incident.
Investigation Ongoing
The protocol has not provided a timeline for when services will reopen. Users are advised to await official communication from Drift Protocol before attempting to engage with the platform. The situation is still developing as of the time of publication.
