The Solana-based decentralized finance protocol Drift lost more than $280 million in a recent attack, making it the largest security incident of the year so far.

Just hours ago, Drift confirmed it was "experiencing an active attack," and that deposits and withdrawals had been suspended while attempts to contain the incident were ongoing.

"This is not an April Fool's joke," the team added.

Later, it said the malicious actor gained unauthorized access to Drift Protocol through a “novel attack,” taking over Drift’s Security Council administrative powers.

While initial estimates suggested losses could reach $200 million, researchers at crypto security firm CertiK now claim losses have already exceeded $280 million, with dozens of tokens stolen, including stablecoins and tokenized bitcoin.

It makes it the ”largest security incident in 2026 so far," CertiK said.

Drift also confirmed this figure.

According to Lookonchain, criminals swapped more than $270 million worth of cryptoassets into the USD coin (USDC) stablecoin to eventually buy ethereum (ETH).

Thursday morning, Drift also confirmed what other analysts have already said: that the attacker obtained 2 of the 5 signers needed to confirm a multisignature transaction.

“This attack was enabled by a combination of: Pre-signed durable nonce transactions, allowing delayed execution; Compromise of multiple multisig signers’ approvals, likely through targeted social engineering or transaction misrepresentation,” the team concluded.

Omer Goldberg, founder of Chaos Labs, a blockchain intelligence and security firm, noted that a week ago, Drift moved to a new multisignature address created by a signer from the old "multisig," which requires more than one signature to sign a crypto transaction. However, this signer did not add themselves to the new one.

"The exploiter also initiated the proposal in the old multisig to hand over admin control to this new wallet. Of the 5 signers on the new multisig, only 1 came from the previous setup – the other 4 were brand-new," Goldberg said, adding that the wallet was set with a 2/5 threshold and a 0-second timelock, which allows a transaction to be executed immediately.

Therefore, according to the founder, the sole carryover signer used the new multisig to propose changing Drift’s admin, and one of the new signers co-signed a second later, instantly meeting the 2/5 threshold and allowing criminals to steal the funds.

Meanwhile, threat researcher Vladimir S. (@officer_secret) noted that Drift had an event on March 25th, and the exploiter's first funding transactions came roughly 12 hours before this event started.

"Guess the issue is OpSec related… Maybe hijacked cameras or some kind of physical intervention took place there. My idea is to double-check everything related to this event. Both online and offline vectors," he suggested.

For context, March was marked by 20 major incidents that resulted in $52 million in losses, or 96% more than in February, according to PeckShield data.

---

Unlock more exclusive Cybernews content on YouTube.