Drift exploit triggers two-week DeFi hack spree totaling $280 million across 12 protocols

The Drift Protocol exploit on April 1 appears to have triggered a broader wave of compromises across decentralized finance. In the 16 days since attackers drained $280 million from the Solana-based perpetuals platform, at least 12 additional crypto protocols and exchanges have been compromised.

The affected list includes CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, Binance Smart Chain's TMM pool, Aethir, MONA, Zerion, Rhea Finance, and Russia-linked exchange Grinex. Combined with Q1's already elevated hack activity—$168.6 million stolen from 34 DeFi protocols, according to DefiLlama—the sector is facing what is described as its worst security crisis in years.

New disclosures: Rhea and Grinex

Rhea Finance disclosed Thursday that attackers exploited a vulnerability in its margin trading feature, executing what the protocol called a “coordinated pool manipulation attack” against its Lend smart contract. CertiK estimated the damage at $7.6 million.

CertiK said the attack involved creating fake token contracts and adding liquidity in new pools, likely misleading the oracle and validation layer. The report noted that the Drift attackers used a similar approach by whitelisting a fabricated token (CVT) as collateral before draining real assets.

Earlier, Grinex suspended all operations after losing $13.7 million. The exchange attributed the incident to “unfriendly states” without further detail, though the timing and methodology were described as consistent with patterns associated with North Korean operations.

How the Drift attack spread

The article says the Drift hack’s impact is amplified by the sophistication of its social engineering. It describes attackers spending months posing as a quantitative trading firm, building relationships with Drift contributors before exploiting Solana’s durable nonces feature to trick Security Council members into pre-signing malicious transactions.

It also states that both the Drift and Zerion wallet exploits have been linked to DPRK-affiliated groups using AI-enhanced social engineering. The piece characterizes these as well-resourced operations focused on human trust rather than purely code vulnerabilities.

Other incidents reported in April

• Silo Finance: $392,000 lost on April 3 due to a misconfigured oracle.
• Dango: $410,000 lost on April 13 through a smart contract bug in its bridge aggregator.
• Aethir: $423,000 lost on April 9 due to access control failures.
• Binance Smart Chain TMM/USDT pool: $1.67 million lost to reserve manipulation.

Market reaction and potential second-order effects

Despite the disruptions, Solana’s SOL token rose 4.55% over the past 24 hours to $89, suggesting traders may be treating the incidents as protocol-specific failures rather than broad ecosystem contagion.

However, the article notes that Drift’s hack disrupted at least 20 protocols that relied on its liquidity, implying that second-order effects may take longer to appear.

Security outlook

Security researchers cited in the article warn that advancing AI models could accelerate social engineering attacks. The piece argues that when attackers can automate relationship-building across many targets at once, the advantage shifts further in their favor.

For DeFi users, the article concludes that audits may not be sufficient when the primary attack surface involves the humans holding the keys.