$285 million, the largest on-chain attack of the year, or still the age-old private key issue

On April 1, 2026, at 4:00 PM UTC, the Drift Protocol Treasury's total assets were $309 million. One hour later, only $41 million remained.

This is not an April Fools' joke. The Drift team had to make it clear themselves — "This is not an April Fools' joke." But when faced with on-chain data, the only difference between a joke and a disaster is whether the money is still there.

What Happened

Around 4:00 PM UTC on April 1, blockchain monitoring agencies LookIntoChain and PeckShield almost simultaneously captured abnormal signals: a wallet, HkGz4K..., created just eight days ago, began massively transferring assets from multiple Drift treasuries. The first transaction involved 41.7 million JLP tokens valued at approximately $155.6 million.

The attacker systematically emptied Drift's JLP Delta Neutral, SOL Super Staking, and BTC Super Staking core treasuries, involving over 15 different tokens — USDC, SOL, cbBTC, wBTC, liquidity pool tokens, and even the meme coin Fartcoin was not spared. Approximately $270 million to $285 million in assets were drained in one hour.

PeckShield provided a preliminary assessment: administrator private key leak. The attacker obtained the protocol's privileged management key, allowing them not only to invoke the treasury withdrawal function but also to change the administrator key itself — equivalent to changing the lock and leaving the original owner locked out. The Drift team couldn't even urgently freeze the contract after the attack occurred.

This is the oldest form of attack. Not a flash loan arbitrage, not oracle manipulation, not smart contract logic vulnerability. It's simply a case of a key falling into the wrong hands.

Attacker's Retreat Route

More noteworthy than the intrusion is the attacker's exit strategy.

After siphoning the assets, the attacker swiftly converted various tokens to USDC via the Jupiter Aggregator and then bridged to Ethereum. As of UTC 5:49 PM, the attacker had purchased 19,913 ETH (approximately $42.6 million); by 6:17 PM, this number had doubled to 38,820 ETH (approximately $82.66 million). Simultaneously, another portion of SOL was directly deposited into Binance and HyperLiquid.

Multi-chain decentralization, multi-platform off-ramping, real-time hedging. This is not a spur-of-the-moment hacker, but a carefully rehearsed exit plan.

The Gravity of Drift

Drift is not an obscure protocol.

Co-founded by Cindy Leow and David Lu in 2021, it is the largest decentralized perpetual contract exchange in the Solana ecosystem. In early 2024, Polychain Capital led a $23.5 million Series A funding round, bringing the total funding to $52.3 million. As of the incident, Drift had a cumulative trading volume exceeding $55 billion, a total locked value surpassing $1 billion, and over 200,000 active traders.

In a 2024 interview with Fortune, Cindy Leow said she wanted to make Drift the "Robinhood of the crypto world." Now, this analogy has acquired a new, less favorable connotation—Robinhood froze user trading during the 2021 GameStop incident, while Drift had its own administrative powers frozen by attackers.

This also marks the largest security incident in the Solana ecosystem since the $325 million hack of the Wormhole cross-chain bridge in 2022.

The Age-Old Issue of DeFi Security

Placing the Drift incident in the annals of history, the scene is all too familiar.

In 2022, the Ronin Bridge was hacked for $625 million—compromised validator node keys. In February 2025, Bybit was breached for $1.4 billion—an injection of malicious code into the Safe{Wallet} frontend, essentially still a breakdown in the key management chain. Now, it's Drift, following the same script: compromised administrator keys, protocol compromised.

The $285 million stolen ranks around fifth or sixth on the DeFi hacks leaderboard. But the magnitude is no longer the focal point. The central point is that decentralized protocols repeatedly falter at the same juncture—not in code logic, not in cryptography, but in who holds the key to everything and how.

A perpetual contract protocol sells permissionless financial freedom. However, when a single admin key can empty all vaults within an hour, who exactly do the four words "permissionless financial freedom" protect?

Aftermath and Suspense

The Drift team quickly halted the deposit/withdrawal functionality post-incident and stated they were coordinating with "multiple security firms, cross-chain bridges, and exchanges" to track the funds. However, as of the time of writing, there has been no news of any funds successfully being frozen or recovered.

The DRIFT token plunged over 25% after the news broke, dropping from around $0.072 to $0.055. DeFi Development Corp. (a company holding a significant amount of SOL listed on DAT) promptly clarified that they had no association with Drift.

The attacker's wallet remains active. On-chain data shows that the assets are still being continuously swapped and dispersed. This is an ongoing exit scam.

Several key questions remain unanswered: How was the admin private key leaked? Was it due to operational oversight, a social engineering attack, or insider involvement? The attacker created a wallet eight days before the incident and conducted small transactions on OKX and Jupiter—was this a probe or part of a larger plan? Is there a possibility of the funds moved to centralized exchanges being frozen?

On April 1st, a wallet created just eight days prior unlocked the entire treasury of the largest perpetual contracts platform on Solana with a single admin key. The entire process took less than an hour. On-chain, the relationship between locks and keys has never been merely metaphorical.