Drift Protocol Hack: $285M Solana Exploit Explained (2026)
Drift Protocol hack drained $285M in 12 minutes on April 1, 2026. Here is how the 4-phase exploit worked, who is behind it, and how to protect your Solana funds now.
TL;DR
The Drift Protocol hack drained ~$285M on April 1, 2026 through a 4-phase attack: social engineering of multisig signers, a fake CarbonVote Token used as oracle collateral, durable nonce pre-signed transactions, and a zero-timelock governance window. It was not a smart contract bug. All user funds were in one pooled vault controlled by admin keys — the specific failure mode that non-custodial architectures eliminate.
Florian
Founder & Head of Quant — Stratium
The Drift Protocol hack drained approximately $285 million from Solana's largest decentralized perpetual futures exchange on April 1, 2026, in 31 transactions over 12 minutes. It is the largest DeFi exploit of 2026 and the second-largest in Solana's history. The attack did not exploit a single line of smart contract code. It exploited the architecture: a pooled vault where all user funds sat under centralized admin control.
This article breaks down exactly how the four-phase attack worked, who is suspected to be behind it, what happened to the stolen funds, and what the hack reveals about the structural risk every DeFi vault user carries — often without knowing it.
What Happened to Drift Protocol on April 1, 2026
Drift Protocol was Solana's dominant on-chain derivatives exchange, holding approximately $550 million in total value locked (TVL) as of March 2026, according to DefiLlama. On April 1, beginning at approximately 11:06 AM Eastern Time, on-chain monitoring services Lookonchain and PeckShield detected an anomalous transfer: 41.7 million JLP tokens — worth roughly $155 million — moving out of Drift's primary vault to an unknown wallet.
The transfers continued. By the time Drift confirmed an active attack at approximately 3:00 PM ET and suspended deposits and withdrawals, 31 withdrawal transactions had completed. The entire execution phase took about 12 minutes, according to TRM Labs.
How Much Was Stolen in the Drift Protocol Hack?
The Drift Protocol hack resulted in approximately $285 million in stolen user assets, as confirmed by blockchain analytics firms PeckShield, Elliptic, and TRM Labs, all publishing independent assessments between April 1–2, 2026. Drift Protocol's own official statement placed the figure at approximately $280 million. The difference reflects timing and accounting methodology; the consensus across forensics firms is ~$285 million.
The stolen assets included over 15 token types. The largest single category was 41.7 million JLP tokens (approximately $155 million), followed by $60.4 million in USDC, $11.3 million in cbBTC, $5.65 million in USDT, $4.7 million in wrapped ETH, $4.5 million in DSOL, and $4.4 million in WBTC. Smaller amounts included JUP, JITOSOL, MSOL, BSOL, INF, and FARTCOIN. As of April 4, 2026, no funds have been recovered.
Was the Drift Protocol Hack an April Fools Joke?
No — Drift Protocol explicitly addressed this in their initial public statement. When on-chain monitoring services first raised alerts on April 1, a significant portion of the crypto community dismissed the warnings as an April Fools Day prank. Drift's first post on X read: "We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke." The April 1 date complicated early detection, as traders and media initially questioned the legitimacy of the warnings. According to CoinDesk, Helius CEO Mert Mumtaz posted on X: "not 100% fully certain yet, but it seems drift might be getting exploited" — framing that reflected the genuine uncertainty caused by the timing.
Which Tokens and Vaults Were Targeted?
The attacker targeted Drift's primary user vault — a single smart contract holding pooled user deposits across all asset types. The vault held approximately $309 million before the attack; by the time withdrawals were suspended, only $24–41 million remained, according to data from The Defiant. Drift's TVL collapsed from approximately $550 million to $247–252 million within hours, a drop of more than 55%, per DefiLlama. The DRIFT governance token fell 28–40% on the day of the hack, according to CoinGecko and CoinMarketCap data.
How Was Drift Protocol Hacked — The 4-Phase Attack Breakdown
The Drift Protocol exploit was not a flash loan attack, not a reentrancy bug, and not a price manipulation play in the traditional sense. It was a multi-stage, multi-week infrastructure compromise that combined social engineering, a legitimate Solana protocol feature turned against its users, a fake token manufactured specifically for the attack, and a governance architecture that had been quietly weakened five days before execution. Each phase was necessary; none would have succeeded alone.
What Is a Durable Nonce Attack in Solana DeFi?
A durable nonce attack exploits Solana's legitimate "durable nonces" feature, which allows transactions to be pre-signed and executed later without expiring. Normally, Solana transactions expire if not submitted quickly. Durable nonces remove that expiry — useful for hardware wallets and offline signing. In the Drift hack, the attacker created durable nonce accounts between March 23–30, pre-signing malicious withdrawal transactions weeks before execution day, according to TRM Labs. When April 1 arrived, those transactions executed instantly — no delay, no detection window.
This is what CoinDesk described in their technical deep dive: "a Solana feature designed for convenience" repurposed as an attack weapon. Two transactions, four Solana slots apart, created, approved, and executed the malicious admin transfer. The speed of Solana's block finality — its primary performance advantage — became a liability. There was no time to intervene once the pre-signed transactions were submitted.
How Did the Attacker Create and Inflate a Fake Token (CarbonVote/CVT)?
The attacker manufactured a token called CarbonVote Token (CVT) starting approximately March 12, 2026. They minted 750 million units, seeded roughly $500 in liquidity on Raydium, and used wash trading to build a price history near $1 per token, according to TRM Labs. Drift's Switchboard oracle, which assesses collateral value, processed CVT's fabricated price history as legitimate. Using a compromised admin key, the attacker listed CVT as valid collateral on Drift, deposited approximately 785 million CVT tokens as collateral, and then withdrew real user assets — USDC, JLP, cbBTC — against the fictitious CVT value. A $500 liquidity pool was used to extract $285 million.
How Did the Attacker Compromise Drift's Security Council Multisig?
Drift's Security Council was a 2-of-5 multisig — five trusted signers, any two of whom could authorize privileged protocol actions. The attacker socially engineered two of those five signers into pre-signing transactions that appeared routine but contained hidden malicious authorizations, according to Drift's official April 2 statement cited by The Block. Drift confirmed the attack involved "unauthorized or misrepresented approvals, likely obtained through social engineering or transaction misrepresentation." The specific method of approach — whether phishing, impersonation, or another form of social manipulation — has not been confirmed in Drift's public disclosures as of April 4, 2026.
Why Did Removing the Timelock Make Drift Vulnerable?
A timelock is a mandatory delay between the request and execution of a privileged protocol action — typically 24–72 hours. It exists specifically to give the community and security teams time to detect and block malicious governance transactions before they execute. On March 27, 2026 — five days before the exploit — Drift migrated its Security Council to a 2-of-5 threshold with a zero timelock, according to TRM Labs. That migration eliminated the detection window entirely. When the pre-signed malicious transactions fired on April 1, there was no delay, no alert, and no opportunity to intervene. The governance change that removed the timelock was itself approved through the same multisig — meaning the compromise had already occurred before most observers realized anything was wrong.
Was the Drift Hack a Smart Contract Bug?
No. Drift Protocol confirmed in its April 2 statement that the exploit was not caused by a smart contract vulnerability. No seed phrases were compromised. The protocol's underlying code functioned exactly as designed. This distinction matters: no amount of smart contract auditing would have caught this attack. Trail of Bits audited Drift v2 in 2022; ClawSecure completed the most recent audit in February 2026. Neither audit was deficient — the attack surface was governance and key management, not code logic.
Jiang Xuxian of PeckShield stated that "admin keys behind Drift were definitely leaked or compromised." The hack was an administrative and social failure, not a code failure. That is a harder category of problem to solve, because it requires trusting people, not just verifying code.
Who Is Behind the Attack — Attribution and On-Chain Forensics
Two of the leading blockchain intelligence firms published independent attribution assessments within 24 hours of the attack. Their findings point in the same direction, with important caveats.
Are North Korean Hackers Behind the Drift Protocol Exploit?
TRM Labs assessed the attack as "likely perpetrated by North Korean hackers," citing on-chain behavioral patterns consistent with previous DPRK-linked operations, staging from Tornado Cash, and the pace of laundering that exceeded even the Bybit hack in speed. Elliptic published a separate analysis citing "multiple indicators" linking the exploit to DPRK. Attribution at this stage is forensic assessment, not a law enforcement determination. No government agency had confirmed North Korean involvement as of April 4, 2026. The attack shares structural characteristics with the Lazarus Group's previous operations — specifically the $1.4 billion Bybit hack of February 2025 — but confirmed attribution requires a longer investigation timeline.
How Did the Attacker Move the Stolen Funds After the Hack?
The laundering followed a structured multi-chain path documented by ZachXBT and Arkham Intelligence. On Solana, the stolen assets were swapped to USDC using Jupiter DEX aggregator. Approximately $232 million in USDC was then bridged from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP), executed across more than 100 transactions over a six-hour window, according to The Block. On Ethereum, the USDC was converted to ETH — the attacker accumulated approximately 129,000 ETH across four wallet addresses. Additional SOL amounts were routed to HyperLiquid and Binance. Some funds moved through NEAR, Backpack, Wormhole, and Tornado Cash.
The four Ethereum wallets holding the bulk of stolen funds are publicly verifiable on-chain:
0xAa843eD65C1f061F111B5289169731351c5e57C10xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C70xbDdAE987FEe930910fCC5aa403D5688fB440561B0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674
On April 3, Drift sent on-chain messages from address 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105 to all four wallets. The message: "We are ready to speak."
Why Didn't Circle Freeze the Stolen USDC in Time?
Circle has the technical authority to freeze USDC balances on-chain — a centralized power built into the USDC smart contract for compliance purposes. In the Drift case, approximately $232 million in stolen USDC was bridged from Solana to Ethereum over six hours via more than 100 CCTP transactions. ZachXBT publicly criticized Circle for not freezing those funds during that window. According to The Block, ZachXBT had previously documented Circle allowing more than $420 million in what he classified as illicit funds to pass through without freezing. By the time Circle acted, the USDC had already been converted to ETH — which Circle has no authority to freeze. The incident highlighted a structural tension in DeFi: stablecoins marketed as decentralized infrastructure retain centralized kill switches that, in practice, require fast coordination to be effective.
How the Drift Hack Compares to the Biggest DeFi Exploits in History
The Drift Protocol hack is the largest DeFi exploit of 2026 and the second-largest in Solana's history. The table below compares it to the major DeFi exploits since 2022, using verified figures from TRM Labs, Elliptic, Helius, and public post-mortems.
| Protocol | Date | Amount Stolen | Attack Vector | Funds Recovered | Protocol Status |
|---|---|---|---|---|---|
| Ronin / Axie | Mar 2022 | $625M | Validator key compromise (DPRK) | Partial | Active |
| Wormhole Bridge | Feb 2022 | $326M | Smart contract bug | $225M (Jump Crypto) | Active |
| Drift Protocol | Apr 2026 | ~$285M | Admin key / multisig / oracle | $0 | Frozen |
| Bybit | Feb 2025 | $1.4B | Admin key compromise (DPRK) | Partial | Active |
| Mango Markets | Oct 2022 | ~$116M | Oracle / price manipulation | $67M returned | Shut down Jan 2025 |
| Cashio | Mar 2022 | ~$52.8M | Infinite mint (no audit) | Small accounts refunded | Defunct |
| Drift v1 | May 2022 | $14.5M | PNL accounting bug | Fully reimbursed | V1 sunset |
Sources: TRM Labs, Elliptic, Helius (Solana hacks history), public post-mortems. Drift v1 data from Drift's 2022 incident report.
One data point from this table stands out: Drift v1 fully reimbursed users after a $14.5M exploit in 2022. The company has raised $52.5 million in total venture funding, according to DefiLlama and PitchBook data. The gap between $52.5 million raised and $285 million stolen makes full reimbursement from company funds extremely unlikely in the current incident.
How Does the Drift Hack Compare to the Bybit Hack?
Both the Drift Protocol hack (April 2026) and the Bybit hack (February 2025) share a structural profile: admin key compromise attributed to suspected North Korean actors, governance-level access rather than smart contract exploitation, and a multi-week preparation period before the execution phase. The Bybit hack was larger at $1.4 billion, but the Drift attack laundered funds faster — according to TRM Labs, the pace of fund movement after the Drift hack exceeded even the Bybit operation's speed. Both hacks expose the same fundamental risk: when private keys control access to pooled user funds, compromising those keys is equivalent to draining every user account simultaneously.
Is Drift Protocol Safe? What Users Need to Know Now
As of April 4, 2026, Drift Protocol has suspended all deposits and withdrawals. All protocol functions remain frozen. Drift has committed to publishing a full post-mortem, which had not been released as of this writing.
Will Drift Protocol Reimburse Users Who Lost Funds?
No reimbursement plan has been announced as of April 4, 2026. Drift v1 fully reimbursed users after its 2022 exploit — a $14.5 million incident the company was capable of covering. The current $285 million figure exceeds Drift's total venture funding of $52.5 million by a factor of more than five. Full reimbursement would require external capital, insurance proceeds, or a negotiated fund return. None of these have been confirmed. Users who had funds deposited in Drift at the time of the exploit should monitor Drift's official channels at drift.trade and their X account (@DriftProtocol) for updates.
What Should I Do if I Had Funds on Drift Protocol?
If you had funds deposited in Drift Protocol at the time of the April 1 exploit, they were in the affected pooled vault. Drift has frozen the protocol, so no further deposits or withdrawals are possible. The steps available now are: document your deposit amounts and transaction history via Solscan, follow Drift's official communications for any compensation or recovery announcements, and do not interact with any smart contracts or links claiming to offer a "refund" or "recovery" — these are almost certainly phishing attempts targeting affected users. For general Solana wallet security after any DeFi incident, review and revoke any active wallet approvals using a tool like revoke.cash.
Can a Hardware Wallet Protect You From DeFi Hacks Like Drift?
A hardware wallet would not have protected Drift users' funds in this case — and this is a critical distinction most commentary on this hack has missed. Hardware wallets protect your private keys. But when you deposit into a DeFi protocol like Drift, your funds leave your wallet and enter a smart contract controlled by the protocol's admin keys. At that point, the security of your hardware wallet is irrelevant. The funds are no longer in your custody — they are in the protocol's custody. What happened to Drift users' funds had nothing to do with their own private key security. Their keys were fine. Drift's admin infrastructure was compromised.
This is why "not your keys, not your coins" is insufficient framing for DeFi vault risk. Even if you hold your own keys, the moment you deposit into a pooled protocol, those keys protect only your right to claim — not the assets themselves.
The Real Vulnerability: Why Pooled Vaults Are a Single Point of Failure
The Drift hack is being reported as a sophisticated multi-stage attack, which it was. But the sophistication of the attack obscures a simpler architectural truth: $285 million was in one place, under one set of keys. That is not a Drift-specific design flaw — it is how most DeFi protocols work.
What Is the Difference Between Protocol Custody and Self-Custody?
When you deposit into a DeFi protocol vault, you transfer custody of your assets to the protocol's smart contract. The contract holds your funds. The protocol's admin keys — or its multisig governance structure — control what happens to those funds. You receive an IOU: a claim token or a position. But the underlying assets are in the protocol's custody, subject to the protocol's security, governance decisions, and key management. Self-custody means your private keys directly control your assets at all times. No intermediary holds them. No governance attack can move them without your signature.
What Is Protocol-Level Risk in DeFi?
Protocol-level risk is the category of risk that exists regardless of how secure your personal wallet is. It includes: smart contract bugs (an audited contract can still have undiscovered vulnerabilities), governance attacks (compromising multisig signers to authorize malicious transactions), oracle manipulation (feeding false price data to inflate fake collateral), and admin key compromise (the specific vector in the Drift hack). Every DeFi protocol that holds user funds in pooled contracts carries protocol-level risk. The question for any user is not "is my wallet safe?" but "is the protocol safe?" — and the Drift hack demonstrates that even protocols with multiple audits, $52.5 million in funding, and years of operation can fail at the governance layer.
How to Protect Your Funds From DeFi Hacks in 2026
The Drift hack provides a practical security framework for anyone using Solana DeFi, not just Drift users. These are actionable steps based on the attack vectors documented by TRM Labs and Elliptic.
What Security Measures Should Users Check Before Using a DeFi Protocol?
Before depositing into any DeFi protocol, check five things:
1. Does the protocol have a published timelock on governance actions? A zero-timelock governance structure — which Drift implemented five days before the hack — eliminates the detection window. Any protocol where admins can execute changes instantly without delay is a higher-risk environment.
2. What is the multisig threshold and signer identity? A 2-of-5 multisig means only two people need to be compromised. Higher thresholds (4-of-7, 5-of-9) and geographically distributed signers with verifiable identities reduce social engineering risk.
3. Has the protocol had a recent, published security audit? Not as a guarantee — Drift had two audits and was still exploited — but as a baseline signal. Review what the audit covered. Audits that focus only on smart contract code do not assess governance architecture.
4. What is the protocol's TVL and track record under stress? DefiLlama provides historical TVL data for most protocols. Large, sudden TVL changes are often an early signal of an active exploit.
5. What are the oracle dependencies? Protocols that rely on external price feeds (Switchboard, Pyth, Chainlink) carry oracle manipulation risk. Check which oracles the protocol uses and whether those oracles have minimum liquidity requirements for token collateral.
For more on position sizing and risk management when trading on Solana, see our guide on risk management strategies for Solana trading.
Are Copy Trading and DeFi Vault Platforms Safe?
They carry different categories of risk and should not be evaluated as a single category. DeFi vault platforms — like Drift — pool user funds into smart contracts under admin key control. The risk is protocol-level: one governance failure can drain all users simultaneously. Copy trading platforms that execute trades in individual user wallets operate on a different architecture: funds never enter a pooled contract. The risk is execution quality, not custody. Neither model is risk-free, but they are exposed to fundamentally different failure modes.
If you are evaluating copy trading as an alternative to active DeFi participation, understanding those architectural differences matters more than any marketing claim either type of platform makes. For a full breakdown of how algorithmic approaches behave in volatile markets, see our analysis of algorithmic copy trading in bear markets.
The Vault Architecture Problem — and What the Alternative Looks Like
The Drift hack drained $285 million because all of it sat in one place: a pooled vault under admin key control. That is the category of risk that governance attacks exploit. Individual user wallets cannot be drained this way — there is nothing to drain at scale.
Non-custodial copy trading platforms execute trades in users' individual wallets rather than pooling funds into protocol-controlled contracts. When a copy trade fires, it executes as a transaction in your wallet — your keys sign it, your wallet holds the result. There is no vault. There is no single pool that a governance attack could drain.
Stratium is one example of this architecture in practice on Solana. When Stratium copies a trade from a curated strategy wallet, it executes that transaction in your wallet directly. Your private keys are AES-256 encrypted and exportable at any time — if the platform shut down tomorrow, you retain full wallet access and your funds stay in place. There are no pooled deposits, no admin keys controlling user balances, no multisig that can be socially engineered to drain user funds.
Stratium charges 0.1% per trade — verifiable against the industry benchmark of 0.5–1% at platforms like Trojan and BonkBot, as documented in our Solana trading bot fee comparison. Every strategy is a real Solana wallet address with a publicly verifiable performance history on Solscan — including strategies that have lost money, displayed alongside those that have not.
The Frost Striker strategy, for example, has executed 2,150 trades with a 59% win rate and generated +163.84 SOL in realized gains. You can verify that record on-chain at Solscan before depositing a single SOL: stratiumsol.com/strategy/4iaJQWCdr9iBqh2DUDVhaf5DeLi1mZBZLHanvbTLGFbv.
A note on limitations: Stratium is a young platform with no published third-party security audit and no independent external reviews as of this writing. Server-side key encryption is not the same as hardware wallet self-custody. The platform has not yet been tested at scale or under adversarial conditions the way Drift had. These are real considerations. What the architecture eliminates is the specific risk vector that destroyed Drift: a single drainable vault controlled by compromised admin keys.
Check Stratium's live on-chain trade feed and strategy performance at stratiumsol.com.
Timeline: The Complete Chronology of the Drift Protocol Exploit
The attack was not improvised. It was a 21-day operation from first on-chain staging to full execution, according to the forensic timeline published by TRM Labs and Elliptic.
| Date | Event |
|---|---|
| March 11, 2026 | On-chain staging begins: 10 ETH withdrawn from Tornado Cash |
| ~March 12, 2026 | CarbonVote Token (CVT) deployed on Raydium with ~$500 in seed liquidity |
| ~March 24, 2026 | Attacker wallet HkGz4K created, funded via Near Intents |
| March 23–30, 2026 | Durable nonce accounts created; malicious transactions pre-signed |
| March 27, 2026 | Drift Security Council migrated to 2/5 threshold with zero timelock |
| April 1, ~11:06 AM ET | First transfer: 41.7M JLP tokens (~$155M) leave Drift vault |
| April 1, ~1:30 PM ET | Lookonchain and PeckShield trigger on-chain alerts |
| April 1, mid-afternoon | Drift posts initial X warning ("This is not an April Fools joke") |
| April 1, ~3:00 PM ET | Drift confirms active attack; suspends deposits and withdrawals |
| April 1, afternoon | 31 transactions complete; ~$285M transferred in ~12 minutes |
| April 1–2 | ~$232M USDC bridged Solana → Ethereum via 100+ CCTP transactions |
| April 2, 2026 | Drift publishes detailed official statement; TRM Labs and Elliptic publish forensic reports |
| April 3, 05:17–05:25 UTC | Drift sends on-chain messages to four attacker Ethereum wallets |
| April 3–4, 2026 | ZachXBT publishes Circle/USDC freeze criticism; Binance and Coinbase suspend DRIFT trading |
| April 4, 2026 | $0 recovered; no compensation plan announced; post-mortem pending |
Sources: TRM Labs, Elliptic, CoinDesk, The Block, Drift Protocol official statements.
Key Takeaways: What the Drift Hack Changes
The Drift Protocol hack is the clearest demonstration yet that DeFi security cannot be reduced to smart contract auditing. The protocol had two recent audits — Trail of Bits in 2022, ClawSecure in February 2026 — and was exploited anyway, through governance and key management, not code. The attack vector was administrative: compromised multisig signers, a zero-timelock governance window, and a fabricated token that passed oracle verification because it was listed by a compromised admin.
For users, the practical implication is architectural. The question is not whether a protocol has been audited. The question is where your funds are when you are not actively trading — and who controls the keys to move them. In Drift's case, the answer was: in a pooled vault, under admin keys that could be compromised through social engineering.
In the Drift hack, $285 million vanished because all user funds sat in one vault. On Stratium, there is no vault to drain.
Verify Stratium's on-chain strategy performance, including losing trades, before making any decision: stratiumsol.com/strategy/4iaJQWCdr9iBqh2DUDVhaf5DeLi1mZBZLHanvbTLGFbv.
Frequently Asked Questions
What is the Drift Protocol hack? The Drift Protocol hack was a $285 million exploit of Solana's largest decentralized perpetual futures exchange, executed on April 1, 2026 through a combination of social engineering, durable nonce exploitation, fake token oracle manipulation, and governance architecture abuse. It is the largest DeFi hack of 2026.
Was the Drift hack caused by a smart contract bug? No. Drift Protocol confirmed the exploit was not caused by a smart contract vulnerability. The attack targeted governance and admin key infrastructure, not code. Multiple prior audits did not prevent the hack because audits cover smart contract logic, not the human and governance layer.
How long did the Drift Protocol hack take? The execution phase — 31 withdrawal transactions — took approximately 12 minutes. The preparation phase began on March 11, 2026, making the total operation 21 days from first staging to execution.
Who is responsible for the Drift Protocol hack? TRM Labs and Elliptic have assessed the attack as likely linked to North Korean state-sponsored hackers, citing on-chain behavioral patterns consistent with previous DPRK operations. This attribution has not been confirmed by law enforcement as of April 4, 2026.
Will Drift Protocol users get their money back? No reimbursement plan has been announced as of April 4, 2026. Drift's total venture funding of $52.5 million is far less than the $285 million stolen, making full reimbursement from company funds unlikely without external capital or a negotiated fund return.
What is a durable nonce attack? A durable nonce attack exploits Solana's legitimate "durable nonces" feature, which allows pre-signed transactions to be executed later without expiring. The Drift attacker pre-signed malicious withdrawal transactions weeks before execution day, so that when April 1 arrived, the transactions fired instantly with no detection window.
What happened to the stolen Drift Protocol funds? Stolen assets were swapped to USDC via Jupiter on Solana, then bridged to Ethereum via Circle's CCTP in 100+ transactions totaling approximately $232 million. On Ethereum, the USDC was converted to approximately 129,000 ETH across four attacker wallets. No funds have been recovered.
This article is for informational purposes only and does not constitute financial advice. Crypto trading involves substantial risk of loss. Past performance of any trading strategy is not indicative of future results. Always conduct your own research before depositing funds into any protocol or platform.
About the Author
Florian has been trading Solana-based strategies since 2022 with a focus on algorithmic and quantitative approaches. As the founder of Stratium, he trades his own capital in the same strategies available to users. His strategy wallet has a publicly verifiable track record on Solscan, updated in real-time. He writes to help traders understand the difference between verified on-chain performance and unverifiable alpha claims. Follow him on X at @flo_stratium.
Related Articles
Written by
Florian
Founder & Head of Quant — Stratium
Florian is the founder and Head of Quant at Stratium. With 5+ years of experience in quantitative finance and algorithmic trading, he built the copy trading engine from the ground up on Solana — designing the strategy curation framework, FIFO PnL engine, position sizing models, and on-chain execution infrastructure. He writes about quantitative trading, Solana DeFi, and the data behind copy trading performance.