April 1, 2026 was no joke — and Drift Protocol made that clear immediately with a post on X that felt surreal given the date: "This is not an April Fools joke."
Within twelve minutes, the leading decentralized perpetuals exchange on Solana had lost $285 million. Not due to a code vulnerability. Due to something far harder to fix.
Three Weeks of Preparation, Twelve Minutes to Execute
It all started on March 11, with a withdrawal of 10 ETH from Tornado Cash — moved at around 9 AM Pyongyang time. That detail matters. Those funds financed the creation of the CarbonVote Token (CVT), a completely fabricated token with no real value. Over the following weeks, the attackers worked methodically: minimal liquidity on Raydium, systematic wash trading, price artificially maintained near $1. Drift"s oracles read it as a legitimate asset. The trap was set.
On March 23, four durable nonce accounts were opened. Two belonged to real members of Drift"s Security Council. Two were controlled by the attackers, who had already obtained the necessary signatures — likely by presenting ordinary-looking transactions to multisig signers who had no way of knowing what they were actually approving. On March 27, Drift migrated its Security Council to a 2/5 configuration with no timelock — effectively eliminating the last checkpoint that could have caught the breach before it was too late.
April 1 was when it all triggered. Thirty-one sequential withdrawal transactions, roughly twelve minutes, three main vaults drained — JLP Delta Neutral, SOL Super Staking, BTC Super Staking — for a total exceeding $285 million in USDC, SOL, JLP, and WBTC. The protocol"s TVL dropped from $550 million to under $250 million. The DRIFT token crashed over 40%. Eleven protocols in the Solana ecosystem suffered collateral damage.
ZachXBT, Circle, and a Question That Burns
Immediately after the exploit, the attacker converted most of the stolen assets into USDC, then used Circle"s CCTP bridge — the cross-chain protocol owned by the USDC issuer — to move approximately $232 million from Solana to Ethereum across over one hundred transactions, over a six-hour window, during US business hours. Circle did nothing.
ZachXBT said it plainly on X, addressing Circle and its CEO Jeremy Allaire directly:
Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.
— ZachXBT (@zachxbt) April 2, 2026
Value was moved and nothing was done yet again.
Comes days after you froze 16+ business hot wallets incompetently which is still… pic.twitter.com/T0Xwg1HIfO
Here is the contrast that stings: on March 23 — the very same day the attackers were setting up their durable nonce accounts — Circle had frozen the USDC balances of 16 business wallets in minutes, including the ckETH Minter Smart Contract belonging to the DFINITY Foundation, as part of a US civil lawsuit. Legitimate wallets, real businesses, no warning. ZachXBT had already called it the most incompetent freeze he had seen in five years. At least Circle had acted.
Not this time. Researcher Specter added a telling detail: the attacker held the funds still for one to three hours before moving them, deliberately avoiding Tether. He knew Circle would not intervene.
Who Is Behind It: The Lazarus Group, Again
Elliptic and TRM Labs published their analyses within hours of each other, and their conclusions converge. All indicators point to the Lazarus Group — the North Korean state-linked collective already attributed with the $1.4 billion stolen from Bybit in 2025 and the $326 million Wormhole Bridge exploit in 2022. Tornado Cash was used in the initial phases, timestamps align with Pyongyang working hours at the time of CVT deployment, the laundering speed, and multi-chain bridging patterns all match.
Everything fits. According to Elliptic, this would be the eighteenth attack attributed to the North Korean regime in 2026 alone — over $300 million stolen in a matter of months. And according to the US government, those funds feed Pyongyang"s ballistic missile and nuclear weapons programs.
The Problem Was Not the Code
Two audits had cleared Drift — Trail of Bits in 2022, ClawSecure in February 2026. There was no bug to find. What existed was governance architecture built on assumptions that a patient attacker dismantled piece by piece: no timelock on administrative migrations, oracles lacking minimum liquidity thresholds, and multisig signers with no real procedure to verify the actual content of a transaction before approving it.
In 2026, 35 DeFi protocols have been hit for approximately $453 million in total. The Drift hack is the largest single incident of the year. It probably will not be the last.
