April Fools’ Day turned into a nightmare for Drift Protocol, a Solana-based perpetual trading platform.
What started as an abnormal activity on the protocol quickly spiraled into chaos as Drift lost $280 million in a coordinated attack. It is the largest crypto exploit the industry has witnessed in 2026.
While most hacks rely on breaking code, investigations paint a different picture. And industry leaders have already started speculating.
North Korea’s suspicions emerge
Drift Protocol’s incident has stirred conversations across the digital assets space. Early reactions point one direction.
Ledger CTO Charles Guillemet was among the first to react. He took it to X, saying that the hack mirrors Bybit’s $1.5billion attack in 2025, and current patterns point to North Korea’s Lazarus Group use. Notably, these include compromised signer access, patient infiltration, and targeting operational blind spots – not code flaws.
“This modus operandi is similar to the Bybit hack last year, widely attributed to DPRK-linked actors. The pattern is becoming familiar: patient, sophisticated supply-chain-level compromise targeting the human and operational layers, not the smart contracts themselves.”
That approach has become popular for Lazarus-linked scam activities. They have drained the crypto sector of billions in recent years by taking time to gain trust before striking.
It’s not a bug, but a trust breach
The Drift team has been active with constant updates on the incidents. Their internal investigation confirmed what the industry suspected – the exploit wasn’t related to a smart contract vulnerability.
Instead, the perpetrator accessed the protocol’s multisig security setup. That compromise likely occurred weeks ago through social engineering, and the attacker was waiting quietly to make a move.
Meanwhile, the fraudster leveraged Solana’s durable nonce functionality to pre-sign malicious transactions and waited for the perfect moment, which came during a routine team operation.
Two transactions executed within seconds and permitted the attacker to drain funds almost instantly.
Compromised assets included USD Coin (USDC), Solana (SOL), and wrapped Bitcoin.
Circle faces scrutiny
Attention turned to the USDC issuer as the funds moved. Blockchain investigator ZachXBT criticized Circle as it failed to freeze over $230 million in USDC that flowed from Solana to Ethereum without intervention, which all happened during US working hours.
ZachXBT added:
“6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack. Circle is a centralized stablecoin issuer headquartered in New York, and the attack began around 12 pm ET.”
Circle is yet to publicly comment, but that has stirred debates about CEX’s control features and who they protect.
Drift has disabled withdrawals and deposits as the team works with exchanges, bridges, and law enforcement for asset recovery. Native token DRIFT has lost over 20% of its value in the past 24 hours to trade at $0.06014.
