Drift Protocol Gets Drifted: $213M Multisig Mishap Sends Solana Reeling

Ledger CTO Charles Guillemet is calling the Drift Protocol exploit the biggest hack of 2026 so far—and honestly, he's not wrong. The man has seen things. He's probably got a support group for wallet recovery specialists.

The attack drained approximately $213 million from one of Solana's leading perpetual DEXs. This morning, the official Drift Protocol X account confirmed the exploit, and on-chain trackers reported the hacker immediately began converting stolen stablecoins into Ethereum. Because of course you diversify your liquidity pool of crime across chains—diamonds may be forever, but ETH is where the money laundering gets interesting.

Guillemet drew comparisons to the infamous Wormhole Bridge exploit of 2022. While full details remain sparse, the compromised vector was the multisig controlling the protocol—compromised several days, possibly weeks, before funds were drained. Someone's been sitting on that access like they're waiting for a particularly good Tuesday.

The private keys were either directly stolen or, more likely in Guillemet's view, several machines belonging to multisig signers were compromised. The operators were then tricked into approving a malicious transaction, believing they were signing off on something legitimate. Classic social engineering—the only hack that doesn't require a server rack, just a gift for human manipulation and an alarming amount of patience.

"The biggest hack of 2026 so far" and a wake-up call for the industry. Translation: yet another reminder that your seed phrase probably deserves more protection than your Netflix account.

This modus operandi mirrors the Bybit exchange hack of 2025 and is a favorite of DPRK-linked threat actors. Guillemet describes the pattern as a "patient, sophisticated supply-chain-level compromise targeting the human and operational layer, not the smart contracts themselves." Basically, they didn't hack the code—they hacked the janitor who had the keys to the server room.

His takeaway? The entire crypto industry needs better vulnerability detection mechanisms, secure key management, and clearer transaction signing practices. Revolutionary stuff. Someone write this down and put it on a poster next to "don't trust, verify."

Meanwhile, Tether CEO Paolo Ardoino sent kudos to the USDT0 team for their swift response. The team paused the legacy mesh infrastructure for Solana within 90 minutes of the drain, presumably to prevent the hacker from exploiting it further. Quick work for a Tuesday. Some of us can't even decide what to order for lunch in 90 minutes.

Legacy Mesh connects native USDT across major blockchains—Ethereum, Solana, and TON—enabling seamless omnichain transactions without wrapped tokens. It's the plumbing that keeps your stablecoins flowing between chains without needing a bridge that rhymes with "exploit."

So yeah, another day