Multi-month DPRK-attributed social engineering operation culminating in privileged-access compromise; attacker drained ~$285-286M in user assets in ~12 minutes, then bridged to Ethereum within hours.
Drift Protocol — the largest perpetual futures DEX on Solana — was drained of ~$285-286M in user assets in roughly 12 minutes on 2026-04-01. Elliptic, TRM Labs, and Chainalysis independently attributed the attack to DPRK-linked actors based on on-chain behavior, laundering methodology, and network-level indicators. Operational tradecraft: the attackers ran a six-month social engineering campaign that included deploying a fake collateral token ('CarbonVote' / CVT) to use as artificial collateral and ultimately to obtain privileged access. Most stolen funds were bridged to Ethereum within hours. This is the largest DeFi hack of 2026 to date and the second-largest security incident in the Solana ecosystem after the 2022 Wormhole bridge exploit.
- chain
- solana
- protocol
- Drift Protocol
- bug_class
- social-engineering
- date_occurred
- 2026-04-01
- loss_usd
- $286,000,000
- classification
- Infrastructure / Operational Security
- technique
- Privileged-Access Compromise via Social Engineering
- target_type
- DeFi Protocol — Perpetual Futures DEX
- source_id
- cb:drift-protocol-2026-04-01