The Bybit attack taught crypto one brutal lesson: the weakest link is not always the code. Drift Protocol’s $280 million exploit just repeated it.
On April 1, 2026, Drift Protocol, a Solana-based decentralized exchange, lost an estimated $280 to $286 million in a sophisticated multisig compromise. No smart contract bug. No protocol flaw. Just humans getting fooled, again.
Drift has since sent on-chain messages to wallets holding the stolen ETH, urging the attacker to reach out via Blockscan chat.
Here is why this attack looks so familiar.
Neither Attack Touched the Code
This is the part that should make every DeFi user uncomfortable.
Ledger CTO Charles Guillemet confirmed the Drift incident was not a smart-contract vulnerability. Instead, it was a long-running compromise of the multisig process. The attacker likely gained control of multisig holders’ devices and misled operators into approving malicious transactions.
Guillemet said this method closely resembled the Bybit attack. In Bybit’s case, signers were tricked through a compromised Safe UI. In Drift’s case, the method differed, but the result was the same: insiders unknowingly signed off on something they never should have.
As blockchain security platform Cyvers put it: “This closely mirrors the Bybit hack, different technique, same root issue: signers unknowingly approving malicious transactions.”
The Setup Took Weeks. The Drain Took Minutes.
On-chain staging for the Drift attack began on March 11, nearly three weeks before the April 1 execution. Attacker infrastructure, token manufacturing, and social engineering all ran in parallel.
Cyvers confirmed the attacker set up durable nonces, a Solana feature allowing users to pre-sign transactions for future execution, days before the exploit landed.
The Bybit attack followed the same pattern. Weeks of access planting, minutes of actual execution. This is not a smash-and-grab. It is a slow, calculated campaign targeting human operators, not protocol logic.
The Laundering Playbook Matched Too
TRM Labs found several on-chain indicators consistent with North Korean tradecraft in the Drift hack. These included the use of Tornado Cash for initial staging, cross-chain bridging patterns, and the speed and scale of post-hack laundering, all consistent with techniques seen in the Bybit attack of 2025.
In fact, post-hack laundering in the Drift case exceeded the pace of the Bybit attack in both speed and transaction size, moving millions per transaction within hours of the drain.
Same Suspected Actor, Same Fingerprints
Multiple researchers pointed at North Korean hackers independently, noting the tactics resembled those used in the $1.5 billion Bybit attack. Guillemet also suggested North Korea-linked actors may be involved, though details remain unconfirmed as of publication.
The Solana fallout kept spreading too. According to SolanaFloor, Drift’s exploit hit at least 20 Solana protocols, with DeFi platform Gauntlet alone impacted to the scale of $6.4 million. Cyvers confirmed no funds had been recovered 48 hours after the attack.
What This Means Going Forward
Two massive hacks. Same human-layer failure. That pattern should push every protocol to rethink operational security, not just smart contract audits.
Multisig setups are only as secure as the people and devices behind them. Hardware wallet verification, strict signing ceremonies, and independent transaction confirmation are no longer optional.
The Bybit attack was supposed to be a wake-up call. Drift suggests the industry hit snooze.
What is the Drift Protocol hack?
Drift Protocol, a Solana DEX, lost roughly $280 to $286 million on April 1, 2026, in a multisig compromise. The attacker staged the operation over weeks before executing the drain.
How does the Drift hack mirror the Bybit attack?
Both bypassed smart contracts entirely. Attackers targeted human operators and tricked multisig signers into approving malicious transactions, the same core method used in the Bybit attack.
Who is suspected of being behind the Drift hack?
Multiple researchers and Ledger CTO Charles Guillemet have suggested North Korean-linked actors, consistent with tactics seen in the Bybit attack, though no confirmation has been made officially.
Has Drift recovered any funds?
No. As of 48 hours after the exploit, Cyvers confirmed zero fund recovery. Drift has opened on-chain communication with the attacker’s wallets.
Get the news in a Jist. Follow Cryptojist on X and Telegram for real-time updates!
Disclaimer:
Look, we’re just journalists reporting the news here, not your financial advisors. Everything you read above is for information purposes only. Crypto is wild, unpredictable, and can absolutely wreck your savings if you’re not careful. Never invest money you can’t afford to lose. Seriously, we mean it. Do your own research, talk to actual licensed financial professionals, and remember that past performance means absolutely nothing when it comes to future results. The crypto market can turn on a dime, and what’s hot today might be toast tomorrow. We’re not responsible for your investment decisions, good or bad. Trade smart, stay safe, and don’t bet the farm on anything you read on the internet, including this article.
Bitcoin 
Tether 
BNB 