Drift Protocol exploiter doubles down on Ethereum after siphoning $285 million in assets

The Drift Protocol attacker is doubling down on Ethereum accumulation after conducting a sophisticated operation targeting the protocol’s administrative systems and draining $285 million from its vaults.

According to data tracked by Lookonchain, the malicious actor has spent millions in USDC to acquire 130,262 ETH, worth around $265 million, over the past day.

The @DriftProtocol exploiter just spent another 2.46M $USDC to buy 1,195 $ETH.

They have now bought 130,262 $ETH($267M) in total.https://t.co/ZKbh8J7jRR pic.twitter.com/5Z3Jq2X9NM

— Lookonchain (@lookonchain) April 2, 2026

Ethereum traded at $2,038 at press time, sliding about 4% during the same stretch, per CoinGecko.

Drift’s native token, DRIFT, fell sharply to $0.049, losing over 30% of its value since the attack.

What happened to Drift Protocol?

The attack was first flagged on April 1 when Helius CEO Mert Mumtaz alerted the community that Drift Protocol could be under exploitation.

not 100% fully certain yet, but it seems drift might be getting exploited

monitor your positions https://t.co/xaHqJNDHg2

— mert (@mert) April 1, 2026

Shortly afterward, PeckShield identified unusual outflows involving more than 15 tokens, confirming a major exploit. Initial losses were estimated at around $270 million.

About two hours later, the Drift Protocol team publicly acknowledged the incident on X, suspending all deposits and withdrawals while coordinating with security firms, bridges, and exchanges to address the incident.

How the attack was staged

According to Drift’s latest update, the attacker targeted the human and procedural layer of the Security Council multisig, a 2-of-5 administrative structure controlling critical protocol-level permissions.

Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.

This was a highly sophisticated operation that appears to have involved…

— Drift (@DriftProtocol) April 2, 2026

Preparation

The operation was carefully prepared over several weeks. As noted by the project, durable nonce accounts were created on Solana as early as March 23 to enable delayed execution of pre-signed transactions.

By obtaining approval signatures from at least two of the five Security Council members, likely through social engineering or misrepresentation of the transactions, the attacker accumulated sufficient authorization to seize administrative control.

During this period, four durable nonce accounts were established on March 23, two linked to existing Security Council members and two controlled by the attacker.

When Drift carried out a planned Security Council migration on March 27, the attacker adapted by creating an additional durable nonce account on March 30 tied to a newly appointed multisig member.

Execution

The attack was executed on April 1, shortly after Drift’s team had completed a legitimate test withdrawal from its insurance fund.

The attacker submitted two pre-signed durable nonce transactions just four slots apart on the Solana network. The first transaction created and approved a malicious admin transfer, and the second approved and executed it.

With full control of protocol-level permissions, the attacker introduced a malicious asset, removed all pre-set withdrawal limits, and drained funds across approximately 31 transactions in roughly 12 minutes.

Funds affected include deposits in borrow-and-lend pools, vault deposits, and assets held for trading.

Drift confirmed that the insurance fund and DSOL tokens not deposited directly in the platform, including assets staked to the Drift validator, remained unaffected.

Financial fallout

Before the exploit, Drift Protocol had a total value locked (TVL) exceeding $550 million, making it one of Solana’s largest DeFi applications, according to DeFiLlama.

At its peak, Drift Protocol’s TVL reached $1.3 billion. Following the attack, TVL plummeted to around $247 million.

The DRIFT token, which had traded above $0.07 before the breach, dropped to about $0.04, reflecting a 42% decline within 24 hours. Its market capitalization shrank from roughly $41 million to $25 million.

The exploit also affected approximately 11 downstream protocols. For example, Ranger Finance faced an estimated $900,000 exposure.

What is Drift Protocol?

Founded in 2021, Drift sets itself apart from centralized exchanges by operating fully on the Solana blockchain, ensuring that user funds remain under their own control.

In September 2024, the firm raised $25 million in a Series B round led by Multicoin Capital, with additional participation from Blockchain Capital, Primitive Ventures, and Folius Ventures.

Co-founder Cindy Leow aims to make Drift the “Robinhood of crypto,” building an integrated suite of financial services that includes spot and derivatives trading as well as a prediction market.