On April 1, 2026, attackers drained about $285 million from Drift Protocol on Solana. It was the second-largest exploit in Solana's history, and the post-mortem is the most important security reading of the year, because there was no exploit in the code. It was six months of patient social engineering against the people who held the admin keys. Here is the timeline and the uncomfortable lesson for everyone who builds in this space.
What happened, in order
Drift confirmed the drain on April 1. TVL collapsed from $550 million to under $300 million within an hour. The laundering was aggressive, each bridging transaction moving hundreds of thousands or millions in USDC, faster and more aggressive than even the Bybit laundering of 2025.
But the drain on April 1 was the end of the operation, not the beginning. The post-mortem revealed it was a six-month campaign targeting the humans who controlled the admin keys. The attackers, linked to the Lazarus Group, did not find a bug in the Solana programs. They found a path to the keys, and they took six months to walk it.
This is the pattern, not an exception
Pair Drift with KelpDAO, the $292M LayerZero bridge hack two weeks later, which also traced to a developer being socially engineered six weeks before the drain. Two of the largest hacks of 2026, both human-targeted, both patient, both attributed to state-backed actors.
The numbers back up the pattern. North Korea-linked actors accounted for 76% of crypto hack losses in the first months of 2026, up from 64% in 2025 and under 10% in 2020. Private-key compromise, not code exploits, is now the dominant loss vector. The attack moved up the stack: from the contract to the keys to the people.
What "six months of social engineering" actually looks like
It is not a single phishing email. State-backed campaigns against crypto teams have a recognizable shape, drawn from incident reports across the year:
- A fake recruiter or collaborator builds a relationship over weeks.
- A "coding test" or "demo project" arrives as a repo. (I have written before about catching one of these aimed at me.)
- The repo, or a dependency it pulls in, runs code at install or build time that exfiltrates secrets.
- Or the target is socially engineered into approving a transaction, sharing a credential, or running a script on a machine that can reach a hot key.
The throughline: the attacker exploits trust and time, two things no audit covers and no linter detects.
The uncomfortable lesson for builders
I find smart contract bugs for a living, and I have to be honest about the limits of that work. A flawless audit would not have saved Drift or KelpDAO. The code was not the weak point. The team was.
That does not make security work pointless. It relocates the most important part of it. The questions that would have mattered:
- How many independent humans must approve a privileged action? If the answer is one, you are one phished engineer away from a drain.
- Are admin keys in hardware, behind a time delay, with a circuit breaker? KelpDAO's 46-minute freeze cut the loss by $100M. Operational controls bought what code could not.
- Does the team treat every unsolicited repo, recruiter, and "quick favor" as a potential attack? Because in 2026, they are.
What I changed personally
After the year we have had, I tightened my own operational security, not my Solidity:
- Unsolicited repos run only in a sandbox, never on a machine with any key or credential. I built a static scanner specifically because I got targeted by one of these lures.
- Secrets live in one place with strict permissions, loaded explicitly by the scripts that need them, never auto-exported into every shell. A malicious build in one project cannot slurp every key at once.
- I assume any "job opportunity" that leads with a coding test is a lure until proven otherwise. The friction of being paranoid is small. The cost of being wrong is $285 million if you are Drift.
Where AI cuts both ways
The same year that AI made me a faster auditor, reports note it is lowering the bar for exploit discovery, with automated reconnaissance scanning old and unverified contracts. Attackers use AI too. But the Drift and KelpDAO hacks are a reminder that the frontier of attack is not better code analysis. It is better social engineering, and AI helps there as well, generating more convincing personas and lures.
The defense is not a tool. It is a culture that treats people and keys as the primary attack surface, because in 2026 they demonstrably are. Audit the contract. Then audit who can drain it, and how hard you have made their day if they get phished.
Top comments (0)