$285 million evaporated: The manhunt after Drift was hacked.

On April 2, 2026, the leading perpetual contract protocol in the Solana ecosystem, Drift Protocol, suffered a heavy blow, with funds on the chain being withdrawn by hackers in a very short time. According to several Chinese information sources, the scale of the stolen assets is approximately $285 million, which was then quickly exchanged for about 129,000 ETH, valued at nearly $278 million. The sources of the funds have not been fully disclosed, and the specific coin ratios and structures remain uncertain, amplifying concerns in the secondary market about potential "polluted assets." The tracing of the cross-chain flow path of this substantial asset has become significantly more challenging, and whether issuers like USDC should actively freeze related suspicious assets has quickly evolved into a focal point of industry opinion. Meanwhile, news of the Trust Wallet Discord community being hijacked spread throughout the crypto circle, tightening the already strained nerves regarding security—both fund security and information channel security faced collective scrutiny that day.

Eight Days of Lurking to Lightning Transfer: The Hacker's Patience and Speed

From the public on-chain intelligence, this attack appears to be not a spur-of-the-moment decision, but more like a thoroughly prepared "covert operation." According to summaries from sources such as Planet Daily and Golden Finance, the suspected core attack address was alleged to have obtained start-up funds through Near Intents. After this, it lurked for about eight days, without immediately launching a large-scale attack, but instead maintained low-frequency operations and a "playing dead" state. This prolonged ambush mode contrasts with the "immediate use" commonly seen in some past large-scale attacks, showing the attackers' patience and professional inclination in choosing the timing and controlling on-chain traces.

The real explosion point occurred on April 2. On-chain monitoring indicated that after the attack was triggered, large amounts of funds within the Drift protocol were rapidly withdrawn from the contract and quickly concentrated into a wallet controlled by the attackers. Following this, a large number of assets were uniformly handled and exchanged for about 129,000 ETH, completing the transition from a multi-asset pool to a single mainstream asset, significantly simplifying the subsequent cross-chain and mixing operations. This series of operations was highly automated and tightly paced, leaving almost no reaction window for the project team and security team.

It is worth emphasizing that currently, there has not been authoritative disclosure regarding the causes of the contract vulnerability, exploitation methods, and underlying security flaws. The publicly available information is insufficient to support an accurate reconstruction of the attack method. Relevant reports remain at the level of fund flow and address behavior, and outlines and briefs clearly categorically list this part as a banned speculation field. Therefore, the outside world can only discuss risk control issues within the broad framework that "the attack was accomplished through contract or strategy flaws," without reaching conclusions on specific technical paths.

In the process of tracing the flow of funds, some intelligence indicates that certain money laundering addresses are suspected to be associated with Backpack. This means that once this connection is further confirmed, those pathways through centralized entry points may become a KYC breakthrough for future accountability and asset freezing. However, the current correspondence between address ownership and actual identity is still marked as "to be verified" information, which cannot simply be equated with direct collusion, nor can responsibility be inferred in the absence of more evidence. Between on-chain transparency and off-chain identity, there are still multiple legal, compliance, and privacy protection barriers.

Cross-Chain Escape Route: The Fog from Solana to Ethereum

Regarding the whereabouts of this $285 million fortune, the market immediately turned its attention to the cross-chain bridges. Multiple sources allege that, in this attack, some assets were suspected to have migrated from Solana to Ethereum through cross-chain bridges like Wormhole, and subsequently completed the mixing and dispersal transfer on the target chain. However, it needs to be clarified that this cross-chain path is still officially and by intelligence parties marked as "to be verified." Specific bridging amounts, Hop nodes, and time points have not yet had complete, publicly disclosed, and cross-validated on-chain reports, any overly detailed path claims carry risks of deviation.

After the assets completed a centralized conversion to ETH, a highly concerning pattern has emerged: some funds are suspected to further intersect with the on-chain topology of Tornado Cash and other mixing tools. These types of protocols technically provide users with privacy protection but are often seen as "money laundering infrastructure" from a regulatory perspective, especially frequently appearing in major hacker events. For compliance tracking systems, once funds enter the mixing pool, the traditional readability of the "address-balance-path" triangle will dramatically decrease, leaving only pattern recognition, statistical analyses, and intelligence collaboration with centralized entities to fill in fragmented information.

This is not the first time a cross-chain bridge has played the role of an "escape route" in a major security event. For attackers, cross-chain not only signifies escaping from the single public chain ecology but also complicates the landscape of judicial jurisdiction, regulatory standards, and infrastructure partnerships, increasing the difficulty of subsequent accountability. For risk control teams and compliance agencies, this serves as a reminder:

● On one hand, cross-chain bridges require more precise real-time monitoring and risk control thresholds, to issue warnings and delayed responses to abnormal large transactions and unusual paths instead of merely serving as a "fast lane."

● On the other hand, bridging agreements with mainstream public chains and regulatory agencies may have to build tighter compliance modules and intelligence sharing mechanisms, or else in the event of a major attack, cross-chain bridges will naturally stand on the side of "concealing rather than exposing risk."

Behind this cross-chain fog emerges a more charged question: in the face of assets suspected to originate from the attack event, should issuers like USDC intervene and freeze assets? Technically, centralized issuers possess the ability to blacklist and freeze on-chain tokens, and in the past have frequently blacklisted specific addresses after hacking incidents. However, in this case, the involved fund paths are complex, and the lack of a complete, verified timeline means that rash actions might implicate innocent addresses, triggering legal and trust disputes. Therefore, current discussions regarding "whether to freeze, when to freeze, and the scope of the freeze" largely remain at the level of public opinion, and at the compliance and evidence level, it is obviously not yet at a stage that can easily press the switch.

Protocols and Project Teams Proving Their Innocence: Collateral, Security, and Separation of Relationships

After the attack, protocols directly or indirectly related to the event quickly entered "self-proving innocence" mode. The Unitas Protocol was among the first to release a statement emphasizing "all collateral is safe, and strategies are operating normally," attempting to draw a clear line between itself and the attack. These statements serve, on one hand, to reassure existing users and prevent indiscriminate panic due to information vacuum; on the other hand, it is also a posture towards potential regulatory and partnership scrutiny—indicating that risks have not accumulated on its balance sheet.

More controversially, some on-chain investigations pointed to details concerning the association between money laundering addresses and Backpack. Once this clue is confirmed, Backpack, as a centralized entry point with KYC capabilities and user identity data, may be considered a crucial part of future accountability processes: how the relevant data is connected to law enforcement under what legal framework becomes a shared concern for victim protocols and regulators. However, at the same time, this also points attention to another sensitive issue—the boundaries of privacy and compliance:

● Those supporting stronger accountability argue that platforms like Backpack have an obligation to cooperate in retrieving relevant KYC records in major security events, providing leads for asset recovery and criminal investigations.

● Those emphasizing privacy protection worry that once such data retrieval mechanisms are normalized, ordinary users' trust in centralized entry points may be eroded, and KYC data could be used beyond its original purposes.

In information disclosure strategy, both the Drift protocol and other projects caught up in public opinion have exhibited a highly cautious attitude. On the one hand, they need to timely respond to sensitive questions such as "is there a direct business association, do you hold assets on related addresses, are there internal risk control flaws"; on the other hand, they cannot carelessly acknowledge or deny key associations when facts have not been fully clarified and there exist unverified information, to avoid leaving grounds for future regulatory or legal proceedings. This balance of "timely reassuring the market while avoiding overly decisive statements" is also a survival skill that current crypto protocols must learn to navigate within a semi-compliant environment.

Under the premise of high on-chain transparency, how project parties gauge the boundary between “cooperating with investigations” and “protecting users” becomes a problem. One trend is that increasing numbers of project parties will indicate in user agreements and privacy clauses: in cases involving criminal offenses or major security events, necessary data will be cooperated with law enforcement under legal procedures; another possibility is to adopt third-party custody, zero-knowledge evidence, and other methods to minimize their direct control over sensitive data, thus transferring the choice pressure of "whether to hand over the keys" to higher-level infrastructures and judicial systems.

Exchanges Sound the Alarm: The Risk Spillover of DRIFT Tokens

Compared to the passive beating taken by on-chain protocols, centralized exchanges are often the first gate before risk spills over to the secondary market. Following the revelation of the Drift hack, one of the mainstream exchanges, Upbit, quickly issued a notice regarding DRIFT tokens, explicitly stating that if necessary, "warning or terminating trading measures may be taken." This statement did not specify the exact triggering conditions and timings but clearly conveyed one signal: once the incident evolves on the chain to impose a greater impact on the credibility of the token itself, DRIFT could face the risk of liquidity channels being partially shut down at any time.

From the perspective of exchange risk control logic, taking preventive measures against involved or potentially affected tokens typically stems from several considerations:

● Avoid becoming a "dirty currency" outlet—if attackers attempt to cash out or hedge risks through the exchange, the platform needs to elevate its risk control thresholds in advance, even directly freezing suspicious deposit addresses.

● Reduce the probability of ordinary users being "caught in the crossfire"—when the event's progress is unclear and project trust is under challenge, maintaining high liquidity and unprompted trading may expose uninformed users to excessive risks amid emotional fluctuations.

● Underpin their compliance—against a backdrop of progressively stricter regulations, exchanges often wish to demonstrate that they have "records of due diligence" in major security events through announcements and actual restrictions.

For the secondary market, these risk control actions will directly affect sentiment, liquidity, and potential run effects. Once the market anticipates that a certain token may be delisted or trading suspended, holders often preemptively sell off, further amplifying the selling pressure and creating a negative cycle of price and trust; meanwhile, those who are short may view the incidents as reasons for further shorting, leading to increased volatility between the futures and spot markets. It is worth noting that, as public information explicitly prohibits fabricating specific prices and decline data for DRIFT, what the outside world can currently discuss is merely this structural risk transmission mechanism rather than precise performances down to a specific candlestick.

From a broader perspective, exchanges are playing not only the role of risk controllers in this incident but also acting as compliance partners. In the reality that hacking incidents increasingly span across chains and platforms, exchanges are expected to take on more responsibilities in:

● Assisting in tracing the sources and flows of suspicious assets,
● Freezing or delaying processing of deposits and withdrawals related to the attack,
● Providing necessary transaction and identity records to law enforcement.

However, the boundaries of responsibility must also be clearly defined: what level of evidence is sufficient to trigger a freeze, whether judicial intervention is required for freezing, and how to compensate for mistakenly freezing innocent funds—these questions remain vague within the current global regulatory framework, and each major attack pushes for this boundary to be reevaluated and redrawn.

Multiple Security Breaches at Once: Trust Wallet Alarm and Cognitive Attacks

On the same day that the Drift hack attracted widespread attention, another security incident similarly pierced the industry's nerves—The Discord community of Trust Wallet was hijacked. On-chain detective ZachXBT promptly issued a security warning on social media, advising users not to trust any links, airdrops, or contract interactions originating from the hijacked Discord channel, emphasizing that such community hijackings often rapidly evolve into phishing attacks and malicious contract promotions.

Compared to the funds attack at the contract level in Drift, the breach of community channels seems to "only harm cognition and not assets," but in the real world, the two often overlap, resulting in a dual blow to user asset security and information security. A protocol hack may lead users to worry that "money is not safe," while the hijacking of the official community may cause users to question "which information is still reliable." When users find it difficult to discern which announcements genuinely come from the project team and which contracts have been tampered with or are phishing schemes, panic can spread more subtly throughout the community.

This temporal overlay effect puts pressure on overall trust in the self-custody and DeFi ecosystems. On one hand, the Drift incident alerts the market that even leading protocols remain vulnerable to intense attacks; on the other hand, the hijacking of the Trust Wallet community suggests that even if users hold private keys, signing malicious transactions through the wrong channels can still lead to grave losses. This may prompt some users to reassess the intuition that "decentralization equals more security," turning their attention toward more familiar centralized custody or higher-threshold security measures.

From the operational perspective, a clear signal emerging from this series of incidents is that security is no longer merely a matter of "contract auditing." An increasing number of attackers are beginning to seek breakthroughs from social accounts, community management, and operational processes, using means such as disguised announcements, phishing airdrops, and impersonating administrators to gradually lead users toward malicious contracts. Project teams must invest resources not only in auditing contracts, deploying multi-signature systems, and integrating security modules but also in:

● Strengthening multi-factor authentication and access control for official accounts to prevent backend theft;
● Developing emergency plans for communities to quickly refute rumors through backup channels when accounts are hijacked;
● Enhancing user education so that "suspect links first, confirm signatures multiple times" become habits.

Otherwise, even the most impeccable technical defenses can be easily bypassed by a single phishing message.

Recovering Assets or Accountability: Reconstructing Security Order After the Drift Incident

In summary, this $285 million stolen incident holds high typicality within the current landscape of crypto security. In terms of funding volume, it is enough to rank among recent large hacking attacks; in terms of path structure, it presents a standardized template of "contract attack → multi-asset aggregation → centralized exchange for ETH → suspected cross-chain bridge transfer → potential mixing"; at the participant level, it involves multiple roles including protocols, cross-chain bridges, wallets, centralized exchanges, and even stablecoin issuers, with each party's position and obligations in asset recovery and accountability being renegotiated and rearranged.

In the days to weeks ahead, several key observations will determine the direction of this pursuit:

● Progress in tracking fund routes—whether on-chain analytical teams can piece together a more complete fund flow map amidst the fog of cross-chaining and mixing, and find a sufficient evidence chain to support judicial actions;

● Whether issuers like USDC intervene—under what conditions and in what manner to implement freezes or reviews on suspected associated addresses, testing their technical capability and their balance between regulators and users;

● Whether regulatory voices emerge—whether concerning compliance requirements for cross-chain bridges or standards for exchanges and wallets in KYC/AML cooperation, each major attack may become a trigger for new regulations.

Over a longer timeline, the roles of cross-chain bridges, wallets, exchanges, and project teams in this new round of security reconstruction may see redistribution: cross-chain bridges may be required to incorporate more risk control and compliance modules, no longer being merely neutral channels; wallets will be expected to bear more "front-end security warning" responsibilities to reduce user mis-signings; exchanges will increasingly emphasize their status as "infrastructures" in combating money laundering and assisting in accountability; and project parties will have to write "upgradability, security response mechanisms, and black swan plans" into their systems from the very beginning of design.

Behind all these changes is an unavoidably open issue: under the decentralized narrative, who ultimately bears the costs of security and accountability? When attackers exploit cross-chain, mixing, and multi-platform collaborations to tear apart regulatory boundaries, will losses and rebuilding trust be shouldered by individual protocols, centralized platforms, issuers, or the entire industry? The Drift incident may not immediately provide an answer but is likely to become a bellwether for security and compliance discussions in the coming years—whether in technical architecture, business models, or regulatory frameworks, all will be forced to reassess in light of this enormous loss.

Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX benefits group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance benefits group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。