On April 1, 2026, Drift Protocol — Solana's largest perpetual DEX — was drained of $282 million in roughly 12 minutes. No smart contract bug. No flash loan. Just a carefully orchestrated governance takeover weeks in the making.
I built a Dune dashboard that tracks every on-chain step: from the initial drain to Jupiter swaps, cross-chain bridging, and the final conversion into ~130,000 ETH on Ethereum. Here's what the data reveals.
The Attack: Durable Nonces as a Weapon
The attacker exploited "durable nonces", a legitimate Solana feature that allows transactions to be pre-signed and executed at a later time. Between March 23 and March 30, the attacker created multiple nonce accounts linked to real Drift Security Council multisig members — likely through social engineering or misrepresented transaction approvals.
On April 1 at 16:06 UTC, two pre-signed transactions were submitted just 4 slots apart, completing an admin transfer that handed full protocol control to the attacker.
No code was hacked. Trust was.
1 Minute, $230 Million
With admin access, the attacker moved fast:
- Listed a fake token (CarbonVote Token / CVT) on Drift's spot market
- Raised withdrawal limits to $500 trillion
- Deposited 7.85M CVT as collateral (artificially priced via weeks of wash trading)
- Executed 31 withdrawals from the Drift Vault
In the first 60 seconds alone, $231M was extracted — including 41.7M JLP ($159M), 51.6M USDC, 164 cbBTC ($11.3M), and 2,200 WETH ($4.7M). Across all 31 transactions, 19 different tokens were drained: USDC, USDT, USDS, JLP, wSOL, cbBTC, wBTC, zBTC, WETH, JitoSOL, mSOL, dSOL, bSOL, INF, Fartcoin, JUP, syrupUSDC, EURC, and USDY.
Smaller follow-up withdrawals continued until 18:31 UTC, pushing the total to approximately $283M from the Drift Vault alone.
The Laundering Playbook
The post-exploit fund flow followed a textbook pattern:
Step 1 — Swap everything to stablecoins
All non-stable assets were converted to USDC via Jupiter within hours of the drain.
Step 2 — Concentrate into hub wallets
A single wallet received ~$134M in USDC, USDT, USDS, cbBTC, wBTC, and JLP. Five other intermediary wallets received between $10M and $48M each.
Step 3 — Bridge to Ethereum
Over $230M in USDC was bridged from Solana to Ethereum through Circle's CCTP across 100+ transactions. Additional funds moved via Wormhole and deBridge.
Step 4 — Convert to ETH
On Ethereum, all stablecoins were rapidly swapped to ETH. By 17:49 UTC, the attacker held 19,913 ETH (~$42.6M). By the end, approximately 129,000 ETH (~$270.9M) had been accumulated.
Step 5 — Split and mix
The ETH was distributed across five wallets — holding 55.4K, 25.7K, 24.9K, and 23.1K ETH respectively — all of which had been pre-funded via Tornado Cash before the exploit. The entire laundering infrastructure was set up in advance.
Why ETH?
The conversion to ETH wasn't random. Unlike USDC, ETH cannot be frozen by a centralized issuer. Circle has the ability to blacklist USDC addresses, but once converted to ETH and passed through mixers, the funds become significantly harder to trace or seize.
On-chain investigator ZachXBT publicly called out Circle for failing to freeze the stolen USDC while it was being actively bridged via CCTP during US business hours. 6 hours is how long Circle had to freeze the funds — and didn't.
DPRK Attribution
Blockchain analytics firm Elliptic flagged the exploit as likely linked to North Korean state-sponsored hackers. The on-chain behavior, laundering methodology, and network-level indicators are consistent with techniques observed in previous DPRK-attributed operations.
If confirmed, this represents the 18th DPRK crypto theft operation tracked in 2026, with over $300M stolen so far this year alone.
The Dashboard
The full Dune dashboard tracks every phase of the exploit with live on-chain data:
- Total value stolen with breakdown by token
- Second-by-second drain timeline
- Jupiter swap activity (sold vs. bought)
- Fund distribution to intermediary wallets
- Bridge outflows from Solana (CCTP, Wormhole, deBridge)
- Ethereum inflows, ETH accumulation curve, and wallet distribution
All queries are open source. Fork them, extend them, investigate further.
Dashboard: dune.com/pierandrea/drift
The more eyes watching on-chain, the harder it gets to hide $282 million.
TL;DR
- $282M drained from Drift Protocol on April 1, 2026
- Governance takeover via durable nonces and social engineering — no code exploit
- $231M extracted in 60 seconds across 19 tokens
- Fake token (CVT) used as collateral after weeks of wash trading
- $230M+ USDC bridged to Ethereum via CCTP — Circle failed to freeze
- ~129,000 ETH accumulated and split across Tornado Cash-funded wallets
- DPRK attribution flagged by Elliptic — 18th operation in 2026
- Full Dune dashboard tracking every step: dune.com/pierandrea/drift