According to this week’s report from crypto market tracker CryptoRank, DeFi platforms suffered 121 hacks so far this year, resulting in approximately $942 million in losses.
The second quarter accounted for 85 incidents and about $775 million stolen, placing it as the most active period ever for exploits in the crypto sector.
The surge in attacks is against a backdrop of a crypto market struggle, pervaded by weakening investor confidence. Total value locked (TVL) in DeFi protocols has fallen every month this year, dropping from about $115 billion in January to $70 billion in late June.
Drift Protocol, KelpDAO Exploits Hiked Q2 Losses
Per CryptoRank’s data, Q2 2026’s 85 incidents are 49 more than the period with the second-highest frequency of exploits, which happens to be Q1 2026. However, total dollar-denominated losses were not as high as previous peaks, with the data provider reporting that two back-to-back attacks in April accounted for the majority of losses recorded in the quarter.
Drift Protocol and KelpDAO lost a combined $590 million, which is more than half of all the DeFi losses recorded in 2026. Drift Protocol disclosed that attackers had stolen about $285 million in user assets, with blockchain intelligence firm TRM Labs’s investigations linking the operation to hacking outfits connected with North Korea.
According to TRM, preparations for the attack started on-chain as early as March 11 with a 10 ETH withdrawal from Tornado Cash. The crypto tumbler transaction came after months of in-person meetings between the Pyongyang proxies and Drift employees.
“The attacker used social engineering to induce Drift Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorizations for critical admin actions,” the firm wrote in a report published April 30.
Just over two weeks later, North Korea’s Lazarus Group exploited the liquid restaking protocol KelpDAO’s LayerZero bridge infrastructure and stole roughly $290 million worth of rsETH.
Chainalysis mentioned at the time that the attackers forged a cross-chain message on April 18 after compromising two remote procedure call nodes used by LayerZero’s Decentralized Verifier Network. At the same time, the criminals struck a third node with a distributed denial-of-service attack, making the system use compromised verifiers.
The verification process was rigged to allow for the creation of rsETH tokens on Ethereum without burning the corresponding assets on Unichain. Within days of the attack, lending protocol Aave’s TVL dropped from $26.4 billion to $14.3 billion, clocking $12 billion in withdrawn funds and a decline of about 46%.
Hacks Were One Problem; a Shrinking Market Was Another
Aave’s TVL dip wasn’t unique, with CryptoRank’s data showing the value locked in all of DeFi falling every single month in 2026, going from $115.3 billion in January to just over $70 billion in June. And while hacks were not the main reason for the decline, the firm noted that the frequency of incidents likely made users less confident, leading to a wider rotation away from the sector.
But the drop hasn’t been as bad as the one in the 2021-2022 cycle when the DeFi TVL tanked more than 70% in seven months. The current dip has been much slower, and the market has also been different structurally, CryptoQuant says, with the stablecoin supply growing to about $300 billion, real-world asset tokenization expanding, and capital dispersed across more sectors like derivatives, infrastructure, and lending, instead of being concentrated in a handful of AMMs and yield farms.
However, among the largest ecosystems by TVL, only Tron and Hyperliquid have managed to grow this year, with the former gaining 5% and the latter adding nearly 7% as it became the dominant venue for on-chain perpetuals. The rest of the top 10 chains are deeply in the red, with the worst hit being Plasma and Arbitrum, which have so far seen their TVL plunge by 74.6% and 55%, respectively.
Crypto rhetoric has long prized the ability to transact without gatekeepers, to move value across borders without asking permission, and to hold assets no institution could seize.
Crypto culture treated these as design virtues, properties that builders embedded with ethical weight by deliberate architectural choice. Then the Drift exploit happened, and the backlash told a different story.
On Apr. 1, Drift suffered a major exploit. Circle later described the publicly reported losses as exceeding $270 million, while other reports put the figure around $285 million and documented criticism that Circle had not frozen stolen USDC as it moved across its cross-chain rails.
The attacker routed roughly $232 million in USDC from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol. The backlash stemmed from users and observers wanting to know why Circle had not intervened sooner.
Days later, Tether CEO Paolo Ardoino posted that Tether had frozen 3.29 million USDT tied to the Rhea Finance attacker, framing the intervention as proof that “Tether cares.”
Circle published its formal response on Apr. 10, and its core argument was that USDC freezes occur when the law requires action. Circle is legally compelled by an appropriate authority through a lawful process.
Circle pushed back on the idea that an issuer should act as an ad hoc chain police force, arguing that open access to permissionless infrastructure is a feature, and that the bigger problem is that legal frameworks have not yet kept pace with the speed of on-chain exploits.
The stablecoin issuer also made a property-rights argument, claiming that arbitrary freezes set dangerous precedents for lawful users, and the power to freeze is a compliance obligation, constrained by lawful process and legal compulsion, authorized only through formal legal channels.
The complication is that Circle’s own legal documents tell a more layered story.
USDC terms state that transfers are irreversible and that Circle carries no obligation to track or determine the provenance of balances.
Those same terms also reserve Circle’s right to block certain addresses and, for Circle-custodied balances, freeze associated USDC in its sole discretion when it believes those addresses may be tied to illegal activity or terms violations.
Circle holds meaningful freeze power and frames it as a tightly bound compliance function, constrained by legal process and compulsion.
Ardoino’s Rhea post was a boast, and Tether’s terms grant it broad discretion by stating that the company may freeze tokens as required by law or whenever it determines, in its sole discretion, that doing so is prudent, and authorizing it to blacklist token addresses.
In February, Tether froze approximately $4.2 billion in USDT due to links to illicit activity, with $3.5 billion of that since 2023.
Circle freezes USDC only when legally compelled, while Tether reserves sole discretion to freeze and has frozen $4.2 billion over illicit-activity links.
The feature nobody advertised
What Drift and Rhea forced into the open is a question that stablecoin competition had not yet fully surfaced: in a hack, what do users actually want from an issuer?
The anti-censorship instincts that shaped crypto’s early culture tend to lose their force the moment users need an emergency brake. Affected protocols, exchanges holding stolen funds, and victims watching their balances drain want to know who can stop the thief.
That reframes freeze capacity as more of a consumer-protection feature.
Tether has been accumulating a record of intervention and visibility. Ardoino’s Rhea post was designed to be read as a product statement, and in the context of a fresh exploit, it worked.
The emotional and practical logic is accessible, showing that one issuer froze stolen funds the same day an attacker moved them, while another issuer said legal timelines tied its hands.
This makes optics difficult for Circle regardless of the legal merits of its position.
Stablecoins are quietly differentiating themselves in emergency governance, alongside reserve composition and exchange liquidity.
The cost of the feature
The case for Circle’s position is real and does not require dismissing the Drift backlash to hold. Broad issuer discretion over freezes creates risks that extend far beyond hack scenarios.
An issuer that can freeze tokens in its sole discretion when it determines it is prudent can freeze tokens for reasons unrelated to protecting victims. Politically contentious addresses, disputed transactions, regulatory scrutiny from a single jurisdiction, or simple operational error can all trigger freezes under terms as broad as Tether’s.
The same capacity that lets an issuer stop a thief also lets it stop a protester, a dissident from a sanctioned country, or a business whose activity it finds inconvenient.
Circle’s public writing on the Drift exploit is, among other things, a defense against that risk. The argument that emergency intervention needs new legal frameworks and safe-harbor structures is also an argument that the current situation is a problem, even when the targets are criminals.
The absence of defined standards means an issuer can act generously today and overreach tomorrow, with no formal mechanism to distinguish the two.
Tether’s freeze record has not yet produced a major documented wrongful-freeze controversy, but that record is also vast and not fully transparent.
Reports on the $4.2 billion in frozen USDT withhold the details of each decision, the legal process underlying each freeze, and the error rate across thousands of enforcement actions.
Fast intervention looks different in the abstract when the process generating those interventions is opaque.
Benefit of fast freezes
Cost of broad freeze discretion
Can slow or stop stolen funds
Can enable arbitrary intervention
May improve recovery odds
Can affect lawful users
Helps exchanges/protocols in crises
Can reflect political or regulatory pressure
Looks like consumer protection in hacks
Process may be opaque
Becomes a due-diligence feature
Wrongful-freeze risk may be hard to challenge
Two paths from here
The bull case for intervention-first issuers runs in a world where hacks keep coming, and recoverability keeps rising on the priority list.
More regulatory scrutiny on exchanges to show they take asset protection seriously, and more institutional users who need to demonstrate due diligence in custody and recovery. These are factors that push emergency freeze capacity to the center of stablecoin evaluation.
In that scenario, Tether’s public freeze record and broad discretionary terms become genuine competitive assets. Exchanges and protocols that have experienced exploits now treat fast-intervention capacity as a due diligence criterion when choosing which stablecoin to hold as primary liquidity.
Circle has to either act faster through new legal mechanisms or accept that some market segments will treat its rule-of-law posture as a liability in crises. Ardoino’s Rhea post, in retrospect, looks like an early entry in a competition that the market eventually formalizes.
The bear case for that same model runs through wrongful freezes, regulatory backlash, and the discovery that broad discretion is often a liability as much as a virtue.
A high-profile incorrect freeze, such as an address flagged as malicious that belongs to a legitimate user, a jurisdiction-specific enforcement action that appears to be politically targeted at users in other markets, or an operational error that freezes clean funds during a market stress event, turns the same emergency-governance story toxic.
In that world, Circle’s insistence on lawful process and defined standards looks like principled restraint, a deliberate commitment to defined limits over speed, and users place a real premium on an issuer whose freeze decisions carry formal accountability.
The crypto community’s historical skepticism toward centralized control reasserts itself as hard-won practical wisdom, grounded in the documented costs of unchecked issuer discretion.
The stablecoin winners in that scenario are the ones whose intervention power is real but bounded. Issuers who can act in genuine emergencies and demonstrate they held back in ambiguous ones.
Stablecoin governance splits between intervention-first issuers gaining crisis goodwill and bounded-discretion issuers winning users who reprice centralization risk, per Circle and Tether materials.
As stablecoins deepen their role in institutional payments, treasury workflows, and regulated financial infrastructure, governance under stress becomes as material as reserve quality or distribution reach.
The question that Drift and Rhea put on the table of how much control users want an issuer to have has no clean universal answer. Institutions with large exposures and recovery obligations may want emergency brakes, while individuals holding stablecoins across politically sensitive jurisdictions may want the opposite.
Protocols with mixed user bases need to answer for both.
The real contest now is for the version of stablecoin governance that earns enough trust from enough users to become the default.
Drift Protocol Drained of $285 Million in One of
2026’s Biggest DeFi Hacks
A coordinated exploit struck the Solana-based perpetual futures exchange on April 1 — no joke — stripping nearly half its treasury in under an hour and sending its token into freefall.
AA
Ashton Addison
Founder & CEO · Crypto Coin Show · Since 2014
cryptocoinshow.com
Refinitiv TV · London Stock Exchange
Live Incident — 1 April 2026, ~18:54 UTC
$285M
Estimated Stolen
~50%
of Protocol TVL
−17%
DRIFT Token Drop
<60m
Duration of Exploit
All figures preliminary as of 18:54 UTC, 1 April 2026. Source: PeckShield · Lookonchain · Arkham Intelligence · CoinGecko.
On the afternoon of 1 April 2026, a single wallet address began quietly draining one of Solana’s most prominent DeFi protocols. Within the hour, nearly $285 million in digital assets had vanished from Drift Protocol’s vaults — transferred, swapped and bridged with the cold precision of a pre-planned heist. The platform’s team scrambled to confirm the obvious: this was not a prank. “This is not an April Fools joke,” they wrote on X, in a line that said everything about the moment.
Drift Protocol is a non-custodial perpetual futures exchange built on Solana. It allows traders to take leveraged positions across crypto assets without a centralised intermediary, using a virtual automated market maker and multi-asset collateral. At the time of the attack, it ranked among the most liquid DeFi venues on Solana, with a total value locked of approximately $309 million. By the time blockchain sleuth accounts had finished counting, that figure had collapsed to an estimated $24 million.
01—
The Attack: How It Unfolded
On-chain data captured by Lookonchain and PeckShield tells a methodical story. The exploit began around 4:00 PM UTC with a transfer of approximately $155 million in JLP tokens — Jupiter’s liquidity pool token — from a Drift vault to a freshly created Solana wallet. The suspected attacker’s address then received a cascade of additional inflows: USDC, cbBTC, Wrapped Ethereum and a range of other tokens, suggesting a coordinated, multi-asset drain of protocol-linked vaults rather than a single opportunistic strike.
Community monitors flagged suspicious outflows as early as 1:30 PM Eastern. Mert Mumtaz, co-founder and CEO of infrastructure firm Helius, posted on X that there was a high likelihood of a major exploit and urged Circle — whose USDC stablecoin is used as collateral on Drift — to respond. His warning, unusually specific and from a credible Solana insider, cut through the noise even as many in the crypto community assumed the alerts were an April 1 prank.
🔴 Suspected Attacker Wallet — Solana
HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES
Flagged by PeckShield, Lookonchain and Arkham Intelligence. Track live via Solscan and SolanaFM.
Once the initial drain was complete, the attacker moved swiftly to liquidate. Stolen assets were converted into USDC and bridged to Ethereum. By 17:49 UTC, the Ethereum-side wallet held approximately 19,913 ETH — worth around $42.6 million — acquired in minutes. The Solana wallet also deposited SOL to Hyperliquid and Binance, pointing to an attacker comfortable navigating both decentralised and centralised infrastructure simultaneously.
02—
Drift Confirms the Breach
Drift Protocol’s initial public response was characteristically restrained. The team acknowledged “unusual activity” and asked users not to deposit, stopping short of calling it an attack. The hedging was brief. Within hours, the protocol had escalated its language sharply, posting a direct confirmation to its X account.
“Drift Protocol is experiencing an active attack. Deposits and withdrawals have been suspended. We are coordinating with multiple security firms, bridges, and exchanges to contain the incident. This is not an April Fools joke.”
Drift Protocol — Official X Account, 1 April 2026
The team said it was working with multiple security firms, bridge operators and centralised exchanges to contain and trace the movement of funds. No official loss figure was published by the protocol itself, though PeckShield placed the total at approximately $285 million, while other estimates ranged between $270 million and $300 million. As of publication, deposits and withdrawals remain suspended.
03—
Market Reaction and Token Collapse
DRIFT, the protocol’s native token, reacted immediately. CoinGecko data shows the token declined more than 13% over the 24-hour period, with a steep intraday drop occurring within minutes of the suspicious transfers being flagged publicly. At its low, DRIFT traded at approximately $0.05 — down nearly 20% from pre-incident levels — as traders unwound positions under uncertainty about the protocol’s solvency.
The broader Solana ecosystem felt the tremors. Arkham Intelligence’s dashboard for Drift’s vaults confirmed a near-total evacuation of holdings, with the platform’s balance visible collapsing in real time. DeFi Development Corp. (Nasdaq: DFDV), a US-listed public company with a Solana-focused treasury strategy, issued a statement confirming it holds no exposure to Drift and was not impacted by the exploit.
04—
Scale and Context
To understand the magnitude of what happened to Drift, it helps to place it against the backdrop of 2026’s DeFi security landscape. Industry data shows that crypto theft declined more than 69% between January and February 2026, with February losses estimated between $26.5 million and $35.7 million — the lowest monthly figure in nearly a year, and a world away from the $1.5 billion Bybit breach that opened the previous year.
Set against that declining trend, a potential $270–285 million loss at Drift is a dramatic outlier. If confirmed, it ranks as the largest exploit on the Solana network since the Wormhole bridge hack of February 2022 — when approximately $320 million in wrapped Ether was drained — and one of the most significant DeFi incidents globally in 2026.
The breach represents roughly 50% of Drift’s total value locked at the time of the attack. The coordinated drain of multiple vault types, the immediate conversion and bridging of funds, and the use of both decentralised and centralised infrastructure all point to a sophisticated, pre-planned operation — not an opportunistic probe.
05—
What Users Must Do Now
Immediate Actions for Drift Users
Revoke all wallet approvals connected to Drift Protocol. Phantom wallet users can review and revoke connected app permissions directly in the wallet interface under Settings → Connected Apps.
Do not deposit into or interact with the protocol until Drift publishes an official all-clear. The team has explicitly asked users to stand down.
Track the suspect wallet on Solscan, SolanaFM or Arkham Intelligence for further outflows, swaps or bridge activity.
Monitor Drift’s official X account and any post-mortem reports for updates on recovery efforts, compensation plans or protocol restarts.
If you had open leveraged positions at the time of the attack, document your position data now as evidence for any future claims process.
06—
Looking Ahead
The questions that follow an exploit of this scale are always the same, and always hard. Can the stolen funds be traced and frozen at centralised exchanges before the attacker cashes out? Will Drift be able to compensate affected users, and if so, from what source? Does the protocol survive, or does this become one of DeFi’s cautionary tombstones?
The attacker’s decision to route funds through Hyperliquid and Binance — centralised venues with mandatory KYC — is either a mistake that will prove costly, or a calculated use of high-liquidity venues before authorities can respond. The race between the attacker’s exit strategy and the security firms, exchanges and bridges now coordinating with Drift’s team is very much still live.
What is not in doubt is what the Drift exploit says about the state of DeFi in 2026. The industry entered this year pointing to declining hack totals as evidence of a maturing security posture. In less than an hour on April 1, a single sophisticated actor erased months of that narrative. In a space where hundreds of millions can move in minutes, protocol-level security remains — as it has always been — the most consequential unsolved problem in crypto.
— ◆ —
CCS will continue to update this story as new information becomes available. This article is based on verified on-chain data, official statements from Drift Protocol and reports from PeckShield, Lookonchain and Arkham Intelligence as of 1 April 2026, 18:54 UTC. All figures are preliminary and subject to revision.