Solana-based Drift Protocol has suffered the biggest exploit of 2026 to date, losing nearly $300 million in a “highly sophisticated operation” that has raised concerns about the growing threat of human-targeted attacks in the crypto space.
Related reading
Solana DEX loses $285 million on April 1
On Wednesday, Solana-based decentralized exchange (DEX) Drift Protocol fell victim to an exploit that stole hundreds of millions of dollars from its vaults. After online reports noted unusual activity on the chain yesterday afternoon, Drift’s official channels confirmed the attack, quickly suspending deposits and withdrawals.
According to reports, the attack lasted less than 20 minutes and approximately $285 million in multiple assets, including USDC, JPL, USDT, JUP, USDS, WBTC, and WETH, were stolen from nearly 20 vaults. This is the largest crypto exploit of 2026 so far, and one of the largest hacks in the industry, just above the $235 million hack of WazirX.
The hack destroyed half of the total value of the Solana-based project (TVL), which dropped from about $550 million to $252 million, according to DeFiLlama data. The Drift Protocol’s token, DRIFT, also fell, recovering nearly 40% in the past 24 hours.
Within hours, the operator had converted $270.9 million into USDC, bridged it from Solana to Ethereum via the CCTP TokenMessengerMinterV2, and purchased 129,000 ETH, distributing it across multiple wallets.
In a Thursday post, Drift shared the details of the incident, which confirms that “a malicious actor gained unauthorized access to the Drift Protocol via a new attack involving sustained nonces, resulting in a rapid takeover of the administrative powers of the Drift Security Council.”
Solana’s durable nonces are an advanced mechanism that allows transactions to bypass the typical short expiration of regular transactions. This allows users to pre-sign transactions for future execution, offline signing, or complex multisig workflows.
“This was a highly sophisticated operation that involved several weeks of preparation and phased execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution,” the post continued.
Malicious actors targeting people, not smart contracts
Solana-based DEX emphasized that the exploit was not the result of a bug in Drift’s programs or smart contracts, noting that they also found no evidence of compromised sentences.
“The attack involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated by persistent nonce mechanisms and sophisticated social engineering,” the project underlined.
Lily Liu, President of the Solana Foundation, addressed the incident and claims it is a blow to the entire Solana ecosystem. Liu pointed out that “smart contracts took hold. The real targets now are people: social engineering and opsec weaknesses more than code exploits.”
Related reading
General Ledger CTO Charles Guillemet linked Drift’s method of attack on Bybit’s $1.4 billion hack, which was attributed to North Korean hacking groups. As he explained, the attackers likely compromised several multisig signer machines through prolonged infiltration and tricked operators into approving the malicious transactions.
This modus operandi is similar to last year’s Bybit hack, which is widely attributed to DPRK-linked actors. The pattern is becoming familiar: patient, sophisticated compromises at the supply chain level, focused on the human and operational layer, and not on the smart contracts themselves.
Guillemet confirmed that the incident is “yet another wake-up call for the industry” to raise the bar on safety. “Ultimately, security isn’t just about code audits. It’s about giving operators and users the right information at the right time so they can make informed decisions about what they sign,” he concluded.
Featured image from Unsplash.com, chart from TradingView.com