coin-img-ETHETH-4.23%coin-img-BTCBTC-3.02%coin-img-SOLSOL-6.10%coin-img-XAUTXAUT-2.74%coin-img-PAXGPAXG-2.28%coin-img-BASEDBASED-0.34%coin-img-CDDCDD+508.55%coin-img-XRPXRP-2.91%coin-img-ETHETH-4.23%coin-img-BTCBTC-3.02%coin-img-SOLSOL-6.10%coin-img-XAUTXAUT-2.74%coin-img-PAXGPAXG-2.28%coin-img-BASEDBASED-0.34%coin-img-CDDCDD+508.55%coin-img-XRPXRP-2.91%coin-img-ETHETH-4.23%coin-img-BTCBTC-3.02%coin-img-SOLSOL-6.10%coin-img-XAUTXAUT-2.74%coin-img-PAXGPAXG-2.28%coin-img-BASEDBASED-0.34%coin-img-CDDCDD+508.55%coin-img-XRPXRP-2.91%coin-img-ETHETH-4.23%coin-img-BTCBTC-3.02%coin-img-SOLSOL-6.10%coin-img-XAUTXAUT-2.74%coin-img-PAXGPAXG-2.28%coin-img-BASEDBASED-0.34%coin-img-CDDCDD+508.55%coin-img-XRPXRP-2.91%

Drift Protocol Hit by Admin-Key Breach as Hackers Drain Up to $285M

Drift Protocol's crisis erupted on April 1—fueling early disbelief that it was an April Fools' prank. It wasn't. On-chain trackers Lookonchain and PeckShield flagged unusual outflows around 1:30 p.m., pointing to a wallet beginning with "HkGz4K" that began rapidly draining Drift's treasury. The first major move was a withdrawal of 410 million JLP tokens valued at about $155 million, followed by transfers including 51.6 million USDC, 125,000 WSOL, and 164,000 cbBTC. Within roughly an hour, vault assets fell from about $309 million to $41 million—wiping out more than half of the protocol's TVL. Drift confirmed the incident on X, saying the protocol was "under active attack" and that deposits and withdrawals had been paused. The team said it was coordinating with multiple security firms, cross-chain bridges, and exchanges to contain the situation, adding: "This is not an April Fools joke." Estimates of the stolen amount vary. PeckShield put losses near $285 million, Arkham reported more than $250 million, and CertiK's early estimate was roughly $136 million. Regardless of the final figure, it ranks as the largest DeFi security incident of 2026 so far. Investigators say the attack did not hinge on a complex smart-contract exploit. PeckShield founder Jiang Xuxian told Decrypt the protocol's admin key was "clearly compromised or breached." On-chain analysis suggests the attacker obtained privileged access and directly controlled treasury fund flows—no flash loans, oracle manipulation, or novel exploit path. Data also indicates planning. The attacker's wallet received initial funding via Near Intents eight days before the drain, then sat idle. About a week before the attack, the wallet received a $2.52 transfer from the Drift treasury—consistent with a test transaction. The breach lands painfully for Drift's cofounder Cindy Leow, whose rise had been held up as a marquee Solana DeFi success story. Leow's background includes Bitcoin arbitrage between China and Korea in 2016, later work running a proprietary trading fund, and derivatives contributions in the Ethereum ecosystem. He cofounded Drift with David Lu in 2021, pitching on-chain perpetuals built on Solana's speed. Drift expanded aggressively through the 2024 cycle, completing two funding rounds led by Polychain and Multicoin totaling $525 million. The project launched a prediction market positioned against Polymarket, introduced up to 50x leverage, reported TVL above $5.5 billion, and exceeded $50 billion in cumulative trading volume. In a Fortune interview, Leow framed Drift's ambition as becoming the "Robinhood of crypto." The incident also revives an uncomfortable precedent. During the Drift v1 era in 2022, the treasury was drained in an attack. The team later published a detailed technical report and a proof-of-concept snippet showing how the attacker emptied the treasury in a single transaction. Losses then were $14.5 million, which the team reimbursed. Four years later, a similar nightmare has returned at far larger scale. More broadly, Drift reinforces a trend the industry has been grappling with: key management has become a primary systemic risk. In early 2025, Resolv Labs' AWS Key Management Service was compromised, enabling privileged keys to authorize large-scale USR stablecoin minting and triggering cascading losses. Chainalysis reported total crypto theft hit a record $3.4 billion in 2025, noting the most damaging incidents increasingly originated at the infrastructure layer—compromised developer machines, cloud-stored minting keys, and socially engineered signing flows. The common thread is a structural contradiction. DeFi protocols market "decentralization," "noncustodial" design, and "trustlessness," but most live systems still rely on one or more "keys to the kingdom": admin keys, upgrade rights, treasury controls, and emergency pause switches. These controls may exist for safety and flexibility, yet they concentrate risk in a small number of human operators. On-chain traces show the attacker moved quickly after the drain. Most assets were converted into stablecoins and bridged to Ethereum through Wormhole. On Ethereum, a portion was used to buy roughly 19,913 ETH valued around $42.6 million, with the remainder split across multiple addresses. One odd detail: the attacker's wallet still holds a large Fartcoin position representing about 2.5% of the token's total supply. As of publication, Drift's deposits and withdrawals remain suspended. The DRIFT token fell from about $0.072 before the attack to around $0.05, down more than 28%. From its all-time high of $2.60, the token is down more than 98%. Phantom Wallet has issued warnings to users attempting to access Drift. Drift says it is working with security firms, bridge operators, and centralized exchanges to track and potentially freeze stolen funds. Past cases suggest recovery is difficult once assets have crossed bridges and been dispersed across multiple wallets. The incident also complicates a narrative of improving DeFi security. In its end-of-2025 report, Chainalysis said DeFi security had made "substantial progress" as losses declined while TVL rebounded to $11.9 billion. The Venus Protocol case was highlighted as a success after monitoring detected anomalies 18 hours ahead of an attack, prompting a rapid shutdown and governance actions that froze attacker funds. Drift underscores a harder reality: audits and monitoring can fail catastrophically if a single admin key is compromised through phishing, social engineering, or brute force. The question protocols must answer more candidly is what "noncustodial" means in practice when an admin key can move vault assets at will. Eliminating administrative privileges is not always feasible, but the industry has long had tools to reduce single-point-of-failure risk: multisig governance, time locks, hardware security modules, and key rotation. The breach renews scrutiny over why so many protocols still leave hundreds of millions of dollars dependent on the operational security of just one or two people. For a sector chasing the dream of a "crypto Robinhood," Drift's hack pulls the focus back to a more basic question: who holds the key?
Selezionato
NEAR
NEAR-4.86%
USDC
USDC-0.04%
Avvertenza: Il contenuto sopra riportato rappresenta esclusivamente l'opinione dell'autore e non riflette la posizione di BingX. Non deve essere interpretato come un consiglio di investimento da parte di BingX. Per ulteriori dettagli, consultare i Termini e condizioni.