Drift Protocol is suspected to have suffered an internal attack, causing the DRIFT token to plummet 18% within an hour.

Drift Protocol, a decentralized perpetual contract exchange built on Solana, suffered a serious security incident on April 2. Initial estimates indicate that suspicious transfers involved approximately $220 million to $270 million in assets, and the protocol’s TVL (total value locked) dropped sharply to $255 million. After the news was made public, the DRIFT native token fell by about 18% within the first hour, plunging from its intraday high of $0.68.

What Happened: April Fools’ Day warning comes true, and the market is caught off guard

The attack unfolded with a dramatic twist. On April 1, April Fools’ Day, Mert Mumtaz, co-founder and CEO of Helius, issued the first warning on X, saying that there is “a very likely large-scale exploit,” and urgently called on Circle to respond. Because it coincided with April Fools’ Day, the crypto community initially widely believed it was just a joke. However, as Mert repeatedly emphasized the real urgency of the incident, the market quickly reacted.

In its initial announcement, Drift Protocol stated that it had detected “abnormal trading activity” on the platform and instructed users to pause deposits. It later further announced a complete suspension of deposit and withdrawal functions. In the initial notice, the official did not disclose the extent of losses, stating that the investigation is ongoing.

Tracking the Money Flow: The Multichain Transfer Path from SOL to ETH

(Source: SolScan)

According to the latest on-chain data, the attackers’ funds moved as follows:

Initial Transfer: Approximately $220 million to $270 million in assets were transferred to the address “HkGz4K”

Ethereum Bridging: Some of the funds were bridged to Ethereum; as of the latest figures, 19,913 ETH have been purchased (about $42.6 million)

Hyperliquid Routing: Some stolen SOL was routed to Hyperliquid and exchanged for ETH

Binance Inflow: Some stolen SOL was sent directly to Binance

The preliminary stolen asset types include meme-coin packaged versions such as BTC, Jito (JTO), and Fartcoin (FRT), along with various altcoins, as well as stablecoins denominated in USD, EUR, and JPY. The attackers prioritized swapping these different assets into USDC, and then bridging to Ethereum to buy ETH, in order to cut off on-chain tracking paths. JLP (Jupiter liquidity provider) main position in this incident lost about $155.6 million, making it the largest single disclosed victim so far.

Ecosystem Chain Reaction: Jupiter Statement and Immunefi Warning of Long-Term Damage

Jupiter released an official statement to clarify that the Jupiter platform itself was not affected. Jupiter Lend was not involved with the Drift market. It also said that JLP assets are “entirely supported by underlying assets,” and described this as a “tough day” for the Solana DeFi ecosystem, expressing care for the Drift team and the users affected.

Immunefi, a security firm, provided a more sobering long-term perspective through its statistics: among the platforms attacked by hackers, about 83% of native tokens can never recover to their pre-attack price levels. Immunefi CEO Mitchell Amador noted: “Stolen funds are only the first layer of losses; next often comes greater damage—token prices under long-term pressure, treasury capacity shrinking, leadership instability, lost development time, and a continued outflow of user trust.”

Frequently Asked Questions

What is the root cause of Drift Protocol’s attack?

According to analysis by blockchain security researcher Vladimir S, the most likely root cause is a leaked private key from a crypto wallet, and the attack may have involved compromising the administrator signature system or malicious actions by insiders. Drift Protocol’s official side has not yet formally confirmed the specific cause. The investigation is still ongoing. Cointelegraph has contacted Drift and has not yet received an official response.

Was the Jupiter platform affected by the Drift Protocol attack?

Jupiter’s official statement explicitly says the platform was not affected. The Jupiter Lend lending product is not involved with the Drift market, and JLP assets are “fully backed by underlying assets.” In its statement, Jupiter specifically emphasized that JLP holders do not need to worry about suffering direct losses as a result of this incident.

Can the DRIFT token recover to its pre-attack price after the attack?

Based on Immunefi’s historical statistics, among platforms attacked by hackers, about 83% of native tokens can never recover to their pre-attack price levels. Investors should carefully assess DRIFT’s medium- to long-term outlook, closely monitor Drift Protocol’s official incident reports, the progress of fund recovery, and any compensation plan, to determine the project’s recovery path.