The ongoing exploit of Solana-based perpetuals DEX Drift Protocol has seen over $270 million in assets drained, with the attacker actively converting stolen funds into ETH after bridging to Ethereum, according to on-chain tracking by Lookonchain.
The incident, first flagged earlier today, involves suspicious transfers to the wallet HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES. Initial reports confirmed roughly $270 million in various assets including JLP, USDC, cbBTC, and other tokens were moved out of Drift’s vaults, which reportedly dropped from approximately $309 million to as low as $24 million in value.
Latest On-Chain Developments
- Swapping and Bridging Activity: The exploiter has been rapidly swapping stolen assets into USDC and bridging them to Ethereum to purchase ETH. As of 17:49 UTC, 19,913 ETH (valued at ~$42.6 million) had been acquired via the Ethereum address 0xd91a122b585bc588c9a48d0995ee0d7b4f8ab7dd.
- Update at 18:17 UTC: The attacker’s ETH purchases have now reached 38,820 ETH (approximately $82.66 million).
- Additional Routes: Additional Routes: The exploiter bridged SOL to Ethereum via Chainflip (from address 6W6Lfe, Swap ID: 1436734) to the destination address 0xd91a122b585bc588c9a48d0995ee0d7b4f8ab7dd. It did not go to HyperLiquid or Binance.
This conversion activity is ongoing, with the attacker appearing to favor ETH as the primary exit asset. No signs of freezing or intervention on the USDC side have been publicly confirmed yet.
Official Response from Drift Protocol
“We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke. Proceed with caution until further notice. We’ll provide additional updates from this account.”
As of 18:54 UTC, no additional statements have been issued by @DriftProtocol. The protocol remains in a high-risk state.
Broader Context and Market Impact
- Scale: The breach represents roughly 50% of Drift’s TVL at the time and is the largest reported Solana ecosystem exploit since the 2022 Wormhole incident. It also ranks as one of the biggest DeFi hacks of 2026 so far.
- Phantom Wallet Advisory: Wallet provider Phantom has issued a warning for users attempting to access Drift, noting security team investigations and requiring acknowledgment of risks before proceeding.
- DRIFT Token: The governance token continued to trade under heavy pressure following the news.
What Users Should Do
- Avoid Interaction: Do not deposit, trade, or interact with Drift Protocol until the team confirms the situation is resolved.
- Wallet Safety: Revoke any approvals tied to Drift contracts immediately. Monitor connected wallets closely.
- Official Sources Only: Rely exclusively on @DriftProtocol for verified updates. Ignore unsolicited links, refund offers, or compensation claims; these are phishing vectors.
- Track Activity: Follow on-chain explorers (Arkham Intelligence, Solscan) and accounts like @lookonchain for real-time movements of the flagged wallets.
The exploit remains live and fluid, with the attacker still liquidating positions and repositioning into ETH. This event highlights persistent risks in DeFi smart contracts and multi-chain bridging. Further updates from Drift or security firms are expected as the investigation progresses.
This independent report compiles official statements and verified on-chain data as of April 1, 2026, 18:54 UTC. Figures are preliminary and subject to change.
