- Drift Protocol confirms $280 million crypto theft via sophisticated attack abusing durable nonces
- Hackers hijacked Security Council powers through misrepresented transaction approvals and social engineering
- Deposits in borrow/lend, vaults, and trading affected; incident marks largest crypto heist of 2026 so far
Decentralized cryptocurrency exchange Drift has confirmed suffering a cyberattack in which threat actors stole hundreds of millions of dollars worth of tokens.
On April 1 2026,, Drift Protocol posted on X, saying it was “experiencing an active attack”, and that all deposits and withdrawals were suspended as a result.
“This is not an April Fools joke,” the maintainers tweeted. “We are coordinating with multiple security firms, bridges, and exchanges to contain the incident.”
Highly sophisticated attack
Soon after, an update was posted, explaining that a malicious actor was able to access the protocol “through a novel attack involving durable nonces,” resulting in a “rapid takeover of Drift’s Security Council administrative powers.”
Security Council is a governance and safety mechanism designed to act quickly in emergencies, without waiting for full DAO voting. It is a small, trusted group (usually multisig signers) within the protocol’s governance structure, who have limited, fast-track powers. Ironically enough, Security Council was supposed to prevent attacks like this one.
Drift says the attack was a “highly sophisticated operation that appears to have involved multi-week preparation and staged execution”.
It was not a bug, and no seed phrases were compromised. Instead, the attack involved “unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering.”
For Ido Sofer, Founder & CEO at Sodot, the exploit was a "failure of transactional policy and operational security," serving as "another stark reminder that it's not enough to know who signed a transaction."
"Protocols need controls over when, how, and under what conditions signatures are executed," he said.
"The industry secured private keys in storage, then added policy controls to govern execution. Now the same discipline must extend to every environment in crypto: zero-exposure architecture, policy-driven controls, and multi-party governance embedded at the execution layer where keys are actually used."
At press time, no one claimed responsibility for this attack, but Drift said roughly $280 million was withdrawn from the protocol. North Korean state-sponsored groups Lazarus and different Chollima variants (Labyrinth, Pressure, Golden) are usually tasked with stealing cryptocurrencies from organizations in the west. The country uses the stolen money to fund its government apparatus and its weapons programme, some researchers claim.
All deposits placed into borrow/lend, vault deposits, and funds deposited for trading, are affected, Drift confirmed. This is now one of the largest crypto heists ever, and the largest one this year so far.
Via The Record
