news

$280M Drift Hack Linked to Multisig Takeover, ZachXBT Criticizes Circle Over USDC Transfers

Nidhi Saini
Published: April 2, 2026
4 min read
$280M Drift Hack Linked to Multisig Takeover, ZachXBT Criticizes Circle Over USDC Transfers

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Make us preferred on Google

Summary:

  • Drift confirms a $280M exploit tied to a planned admin takeover using pre-approved multisig transactions
  • Attackers used durable nonce accounts to delay execution and gain control, No smart contract bug or seed phrase leak involved
  • ZachXBT says Circle failed to freeze over $230M in USDC linked to the attack
  • Funds were bridged from Solana to Ethereum through CCTP over several hours.

Drift Protocol has shared new details about the $280 million exploit that hit its Solana-based trading platform, placing it among the largest DeFi incidents to date. This incident is heavily highlighted in the crypto community because of the attack style. According to the team, this wasn't a quick breach or something like that, It was planned, staged, and executed with precision. Drift protocol team said in X,

"Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers. Also added, "This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution."

Instead of breaking into the system through a code flaw, the attacker worked around the edges. Drift says the exploit likely involved social engineering or misleading transaction approvals. In simple terms, approvals were collected in advance, possibly without raising suspicion at the time. Those approvals were then paired with durable nonce accounts - a feature that lets transactions be signed early and executed later. That delay created the opening. Once control was secured, the attacker moved fast. They introduced a malicious asset, removed withdrawal limits, and drained funds across multiple pools. Drift confirmed that borrow-lend deposits, vaults, and trading balances were all affected. The stolen assets include JLP, SOL, USDC, cbBTC, and wBTC. Importantly, the team ruled out two common causes, firstly there was no smart contract bug and another there's no compromised seed phrase. That narrows the issue down to access control and how approvals were handled. One user summed up the similar incident :

"$285M puts Drift at #8 on the all-time DeFi hack leaderboard. Same attack vector as Mango Markets - oracle manipulation on Solana." Source

While Drift hasn't confirmed oracle manipulation as the root cause, the comparison shows how familiar patterns can resurface in new ways. Drift is now working with security firms, exchanges, and law enforcement to trace the funds and limit further movement.

"Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets. We would welcome any information or help pertaining to the investigation at hello@drift.trade. " Source

ZachXBT Questions Circle's Response

While Drift focuses on tracking funds, attention has shifted to how stablecoin flows were handled during the attack. Onchain investigator ZachXBT publicly criticized Circle, pointing to a delay in freezing funds linked to the exploit. According to his findings, more than $230 million in USDC was bridged from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP). This didn't happen instantly and it unfolded over multiple transactions and several hours. He wrote:

" Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours." Source

He added more context around this incident : " $230M+ USDC bridged via CCTP from Solana to Ethereum across 100+ txns. 6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack." The criticism is direct to circle and the claim is that there was enough time to act, but no intervention came during that window. Especially when a centralized issuer like Circle has the ability to freeze assets. So far, Circle hasn't publicly responded to these claims.

READ MORE : MEV Bot Nets $9.9M After $50M AAVE Swap Goes Wrong, User Receives Only $36K

What This Means for Solana DeFi

Drift has been a key part of the Solana trading ecosystem, especially in perpetuals. With over $550 million in total value locked before the incident, according to DefiLlama. However, Multisig approvals are meant to add security. But if those approvals are collected under false assumptions, they can become the weak point. The use of delayed execution through durable nonces adds another layer. It shows the standard features can be used in ways that aren't immediately obvious. At the same time, the movement of funds across chains shows fast liquidity can shift once control is lost. Even a few hours can make a difference. Drift is still in the middle of its investigation, and more details will likely come out.

READ MORE: Bitrefill Hack Linked to Lazarus Group: 18,500 Records Exposed and Hot Wallets Drained

Related Topics

#Drift Hack#ZachXBT#Drift Protocol#Hacking

About the Project

Crypto News

About the Author

Nidhi Saini

Nidhi Saini

Nidhi Saini is a writer and co-founder of CotiNews, with over four years of experience working in Web3 marketing. She brings a practitioner’s perspective to her writing, shaped by years spent understanding how blockchain products are positioned, communicated, and adopted. As a co-founder, she is also involved in shaping the platform’s editorial direction, ensuring the publication stays thoughtful, credible, and grounded.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.