Drift Protocol Suffers $285M Hack via Stolen Admin Key

Drift cut straight into the industry's most painful wound.

April 1st, April Fools' Day.

Drift Protocol, the largest perpetuals exchange on Solana, is being drained, and the community's first reaction was, "Nice April Fools' joke."

This is not a joke. Around 1:30 PM, the on-chain monitoring accounts Lookonchain and PeckShield sounded alarms almost simultaneously: a mysterious wallet starting with "HkGz4K" was rapidly siphoning assets from Drift’s treasury. The first withdrawal: 410 million JLP tokens, worth $155 million. Immediately followed by 51.6 million USDC, 125,000 WSOL, 164,000 cbBTC... Dozens of assets flowed out like water draining from a bathtub.

One hour. Vault assets dropped from $309 million to $41 million—more than half of the TVL, evaporated.

The Drift team posted a tweet on X with unusually urgent wording: "Drift Protocol is under active attack. Deposits and withdrawals have been paused. We are coordinating with multiple security firms, cross-chain bridges, and exchanges to contain the situation."

Then came the line destined to be written into crypto history: "This is not an April Fools joke."

The stolen amount from Drift varies across sources. PeckShield estimates approximately $285 million, Arkham reports over $250 million, and CertiK’s preliminary assessment is around $136 million. Regardless of which figure proves accurate, this is the largest DeFi security incident of 2026 to date.

More important than the numbers is the method of attack.

PeckShield founder Jiang Xuxian told Decrypt bluntly: "The admin key behind Drift was clearly compromised or breached." On-chain researchers pieced together an attack profile showing that the hacker gained privileged access to the Drift protocol and took control of the treasury’s fund flows.

In other words, no sophisticated smart contract exploits, no flash loan attacks, no oracle manipulation—just the most basic, outdated security failure: someone lost their private key.

An even more troubling detail: the attacker did not act on impulse. On-chain data shows that this wallet received initial funding via Near Intents eight days before the attack, after which it remained dormant. A week before the attack, it even received a tiny transfer of $2.52 from the Drift treasury—a test, a knock on the door.

A week later, the door was kicked in.

For Drift’s co-founder Cindy Leow, the nightmare of April 1st had an especially cruel undertone.

The story of this Malaysian-Chinese entrepreneur was once one of Solana DeFi’s most inspiring narratives. Starting with Bitcoin arbitrage between China and Korea in 2016, he later ran a proprietary trading fund and contributed derivative projects on Ethereum. In 2021, he co-founded Drift with David Lu, betting on Solana’s speed advantage to build on-chain perpetual contracts.

From a timeline perspective, Drift has nearly ridden every wave. In 2024, it secured two funding rounds led by Polychain and Multicoin, totaling $525 million. It launched a prediction market to compete with Polymarket, introduced 50x leverage, achieved a TVL exceeding $5.5 billion, and surpassed $50 billion in cumulative trading volume. In an interview with Fortune, Leow positioned the platform with an ambitious goal: to become the "Robinhood of crypto."

This analogy now reads as bittersweet. Robinhood’s core promise was to give ordinary people access to Wall Street’s financial tools. Drift’s core promise is to give users a “non-custodial” trading experience on-chain, where your funds never pass through anyone’s hands—only interacting with code.

But behind the code lies an admin key, and the security of this key ultimately depends on people, not cryptography.

There’s another nerve-jarring historical coincidence here. In 2022, during the Drift v1 era, the treasury was once drained in an attack. The team later published an extremely detailed technical report, even releasing a proof-of-concept code snippet demonstrating how the attacker emptied the entire treasury in a single transaction. The loss from that incident amounted to $14.5 million, which the team fully reimbursed out of their own pockets.

Four years later, the same nightmare replayed at twenty times the scale.

Pull back the focus from Drift, and you’ll notice an unsettling pattern emerging.

In early 2025, Resolv Labs’ AWS Key Management Service was compromised, allowing attackers to use privileged keys to authorize large-scale USR stablecoin minting operations, triggering cascading losses across platforms. That same year, the total value of crypto theft reached a record high of $3.4 billion for the entire year, with Chainalysis’s report highlighting a significant shift in trends: the most devastating incidents occurred at the infrastructure level. Compromised developer machines, single minting keys stored in the cloud, and socially engineered signing processes were the true black holes consuming funds.

Now add Drift.

When you examine these cases together, one conclusion is nearly unavoidable: private key security has replaced smart contract vulnerabilities as DeFi’s largest systemic risk.

There is a knowledge gap here large enough to swallow billions of dollars.

DeFi protocols tell a story of "decentralization," "non-custodial" operation, and "trustlessness." Your assets are held by code, with no intermediaries able to touch your funds. Users buy into this story, depositing their money into these protocols, believing they're dealing with mathematics.

But the reality is that nearly every live DeFi protocol has one or more "keys to the kingdom"—admin keys, upgrade privileges, treasury control, and emergency pause switches. These keys exist sometimes for security (to enable an emergency stop if something goes wrong) and sometimes for flexibility (to upgrade contract logic), but their essence is the same: a centralized point of trust wrapped in a decentralized narrative.

Users think they are interacting with code. In reality, they are trusting one person—or a small group—to never make mistakes, never fall for phishing, never be coerced, and never leave their laptop at a café late at night.

This is not an issue unique to Drift; it is a structural contradiction across the entire DeFi industry.

Where did the $285 million go?

The attacker's on-chain actions were clean and precise, displaying the calm of a professional.

After withdrawing assets from the Drift vault, he quickly converted most of the tokens into stablecoins and transferred the funds to the Ethereum network via the Wormhole bridge. On Ethereum, he used a portion of the stablecoins to purchase approximately 19,913 ETH (valued at around $42.6 million), with the remaining funds distributed across multiple wallet addresses.

There’s a bizarre detail: the attacker’s wallet still holds a large amount of Fartcoin, accounting for approximately 2.5% of the token’s total supply. A hacker who just carried out the year’s largest DeFi heist is sitting on a pile of meme coins named after flatulence.

As of press time, deposits and withdrawals on Drift remain suspended. The DRIFT token has dropped from approximately $0.072 before the attack to around $0.05, a decline of over 28%. From its all-time high of $2.60, the cumulative decline exceeds 98%. Phantom Wallet has issued warnings to users attempting to access Drift.

The Drift team says it is coordinating with security firms, cross-chain bridge operators, and centralized exchanges to attempt to freeze and track the stolen funds. However, if history is any guide, the likelihood of recovering funds that have been transferred across bridges and dispersed across multiple wallets is not optimistic.

Drift cut straight into the industry's most painful wound.

In its report at the end of 2025, Chainalysis optimistically noted that DeFi security had made "substantial progress," as DeFi hacker losses declined even as TVL doubled back to $11.9 billion. The Venus Protocol case was cited as a positive example: its security monitoring system detected anomalies 18 hours before the attack, prompting the protocol to swiftly suspend operations, while its governance mechanism froze the attacker’s funds—resulting in the attacker even losing money.

Drift undermines this "narrative of progress." You can perform flawless smart contract audits and deploy the most advanced on-chain monitoring, but if a single admin key is compromised through social engineering, phishing, or brute force, all your security infrastructure crumbles like a castle built on sand.

The DeFi industry needs to pause and honestly answer this question: When you tell users "non-custodial," what do you actually mean?

If the protocol's admin key can transfer all assets from the vault at any time, what’s the difference between that and depositing money into a bank account owned by someone you don’t know? At least banks have insurance, regulation, and legal recourse.

The answer may not be to eliminate these administrative privileges—in many cases, their existence is necessary. But at the very least, the industry should stop pretending they don’t exist. Multi-signature governance, time locks, hardware security modules, key rotation… these technical solutions have been available for years, yet too many protocols still entrust hundreds of millions of dollars in security to the vigilance of just one or two human operators.

The dream of a "crypto Robinhood" sounds great. But before achieving it, perhaps a more fundamental question should be answered first: Who is holding the key?