Drift Protocol has taken a new step after its recent major exploit. The team has sent on-chain messages to wallets holding the stolen funds. This comes just days after one of the largest DeFi attacks of 2026. The exploit drained roughly $270 million to $285 million from the protocol. Now, the team says it has identified key parties linked to the incident. It is asking them to respond and open communication.
Direct Message Sent to Hacker Wallets
On April 3, Drift Protocol sent messages directly through the blockchain. A known address sent these messages to four Ethereum wallets. These wallets currently hold most of the stolen funds. Blockchain data shows the hacker moved the assets earlier from Solana to Ethereum.
Critical information of parties related to the exploit have been identified. Drift is now sending an on-chain message from 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105 to the $ETH Wallets that holds the stolen funds.
— Drift (@DriftProtocol) April 3, 2026
Wallet 1: 0xAa843eD65C1f061F111B5289169731351c5e57C1 (Timestamp…
The message was simple. Drift stated it is “ready to speak” and asked the wallet owners to reply using Blockscan chat. This approach is not new in crypto. Projects sometimes try to negotiate with attackers. In some cases, this has led to partial fund recovery. But success is never guaranteed. Much depends on who is behind the attack.
A Complex Attack, Not a Code Bug
The exploit itself was unusual. It did not rely on a smart contract flaw. Instead, the attacker used a system-level weakness. They took advantage of “durable nonces,” a valid feature on Solana. These allow developers to prepare transactions in advance.
The attacker used pre-signed transactions created weeks earlier. Then, they gained partial control of the protocol’s multisig system. With this access, they removed key safeguards. After that, they drained funds quickly from multiple vaults. The entire process happened in a short time. More than half of the protocol’s total value was lost.
Funds Moved Across Chains
After the attack, the stolen assets did not stay on Solana. The attacker moved them across chains. The hacker used bridging tools to convert the funds and send them to Ethereum. Reports suggest around 129,000 $ETH now sit across four wallets. This move makes tracking harder. It also reduces the chance of quick recovery.
DRIFT EXPLOIT: WHERE IS THE MONEY?
— Arkham (@arkham) April 2, 2026
The Drift Exploiter stole $278.5M from Drift through a malicious admin transfer. They moved it onto Ethereum where it now sits in 4 addresses:
0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674
0xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C7… pic.twitter.com/FaGtvGd398
Some reports have pointed to possible links with known cybercrime groups. But no official confirmation has been made yet. Meanwhile, there has been criticism of delayed responses. Some users questioned why certain assets were not frozen sooner.
Wider Impact on the DeFi Ecosystem
The damage has spread beyond Drift Protocol. Several connected protocols have also felt the impact. Recent data shows that up to 20 projects may be affected. Some have paused services to limit further risk. While the DRIFT token dropped sharply after the incident. Market confidence also took a hit.
Drift Exploit Fallout Spreads to 20 Protocols, Prime Numbers Fi Losses Top $10M
— Wu Blockchain (@WuBlockchain) April 3, 2026
The fallout from the Drift incident continues to widen, with the number of affected protocols rising from 11 to 20, including PiggyBank, Perena, Vectis, Valeo, Amp Pay, Loopscale, Prime Numbers Fi,… pic.twitter.com/v9ezboogGd
Despite this, Solana’s core network remains stable. Application-level risks cause the issue, not the blockchain itself. For now, the investigation continues. Specifically, Drift says it will share more updates once the third-party analysis is complete. Indeed, the situation highlights a key lesson. Even without code bugs, weak governance and key management can lead to major losses.
