Friday, April 10, 2026

Credit: DLNews, Drift Protocol, DefiLlama, Mert, Vladimir S., Peckshield, Arkham Intelligence, Lookonchain, Unchained, CCN, CoinTelegraph, Andrew Hong, QuillAudits, wublock, ZachXBT, Specter, Temmy, TheBlock, molu, Fabiano, Omer Goldberg, Hayden Adams, Cube Exchange, BleepingComputer, Halborn, Tayvano, Ariel Givner, CoinDesk, The Hacker News, Mitchell Amador, TRM, Blockworks, Chainalysis, Patrick Collins

Mert saw it first.

On the morning of April 1st, the CEO of Helius, one of Solana's most critical infrastructure providers, posted a hedge that no one in DeFi ever wants to read: "Not 100% fully certain yet, but it seems drift might be getting exploited."

Minutes earlier, he had already flagged the situation to Circle directly, urging someone to reach out "asap" over what he called a "high likelihood of a potentially large exploit."

Circle did not respond publicly.

Twenty minutes later, Vladimir S. had the numbers: Two addresses, roughly $200 million in SOL already moved, and a note that the exploit had been running quietly for a week.

PeckShield sent Drift a public nudge after that.

Drift's official acknowledgement came nearly an hour after the first public alarm.

"We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke."

That last line had to be written. April 1st meant the first wave of users who saw the warning assumed it was a bit.

Shortly after that first acknowledgment, Drift confirmed an active attack, suspended deposits and withdrawals, and announced coordination with "multiple security firms, bridges, and exchanges."

They repeated the line again, "this is not an April Fools joke", as if repetition might make people take it seriously this time.

By then, Arkham Intelligence had tracked over $268 million moving from Drift's vault to an interim wallet.

Attacker’s Address on Arkham:
98e28143-3e15-4e2a-8527-f30d4c7c11aa

The vault's balance had collapsed from $309 million to $41 million. Then lower. Currently sitting just south of $8 million.

The attacker, meanwhile, was already converting to ETH.

If the first public warning came an hour before Drift confirmed anything, and the drain was already finished by then, what exactly was the monitoring infrastructure watching?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.