DRIFT , a Solana-based decentralised exchange, confirms that attackers drained about $285 million from the platform during a security incident that took place on 1 April 2026. The company described a novel attack involving durable nonces that allowed a malicious actor to rapidly take over Drift’s Security Council administrative powers.
Drift stated that the breach did not exploit a vulnerability in its programs or smart contracts, and there is no evidence of compromised seed phrases, with the breach instead attributed to unauthorized or misrepresented transaction approvals obtained through durable nonce mechanisms and social engineering. Preparations for the hack were underway as early as 23 March 2026, and Drift said it is coordinating with multiple security firms while tracing stolen assets with bridges, exchanges and law enforcement.
According to TRM Labs, the attacker used a fictitious asset — the CarbonVote Token — which was treated by Drift’s oracles as legitimate collateral worth hundreds of millions of dollars. Elliptic’s analysis also notes on-chain indicators and laundering patterns consistent with DPRK-linked actors, with the incident described as potentially representing the eighteenth DPRK act in 2026.