Hackers Drain $280M From Drift Protocol — Could TrustWallet Users Be At Risk?

A massive $280 million breach has just hit the crypto space, and users are already losing funds. Attackers exploited a flaw in Drift Protocol's transaction system, using malicious approvals to drain wallets in seconds. Trust Wallet users could be next?

Trust Wallet users are being urged to enable an additional security feature following the $280M Drift Protocol exploit. (Image: CoinDesk)

Wallets like TrustWallet use the same permission-based structure, meaning the same type of attack can happen anytime.

Even worse, you don't need to actively interact with anything. Once attackers gain access at the system level, funds can be wiped without warning.

Many users assume their wallet is "safe" or that they're not a target. That's exactly what attackers rely on. Victims are already reporting losses between $5,000 and $132,000, gone instantly, with no recovery option.

If you don't have the right security feature enabled, your wallet is exposed right now.

Trust Wallet is urging users to activate this protection immediately. It takes less than a minute, and could be the only thing stopping unauthorized access to your funds.

This setting puts control back in your hands, so even in the event of a breach, attackers can't move your funds without your direct approval.

Ledger CTO tweet — Trust Wallet security warning — Ledger CTO Charles Guillemet on X, April 3, 2026 — urging Trust Wallet users to enable security features

What to do now

Step 1: Go to the official Trust Wallet privacy section

Step 2: Connect your wallet.

Step 3: Open privacy settings and enable the feature

Protect your funds before it's too late. Takes less than 60 seconds.

Check Security Protocol

Official Trust Wallet protection feature

Don't assume you're safe. Don't wait.
Attacks like this happen silently, and by the time you notice, everything is already gone.

How the attacker used them

Drift's protocol was governed by a 'Security Council multisig,' a system in which multiple people (in this case, five) share control, and any action requires at least two of them to approve. Multisigs are a standard security practice in DeFi, where the idea is that compromising a single person is not enough to steal funds.

But the attacker did not need to compromise anyone's keys. All they needed were two signatures, and they appear to have obtained them through what Drift describes as "unauthorized or misrepresented transaction approvals," meaning the signers likely thought they were approving a routine transaction.

Here is the timeline Drift published ina Thursday X post.

On March 23, four durable nonce accounts were created. Two were associated with legitimate Drift Security Council members. Two were controlled by the attacker. This means the attacker had already obtained valid signatures from two of the five council members, locked into durable nonce transactions that would not expire.

On March 27, Drift executed a planned Security Council migration to swap out a council member. The attacker adapted. By March 30, a new durable nonce account appeared, tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration.

On April 1, the attacker executed.

First, Drift ran a legitimate test withdrawal from its insurance fund. Approximately one minute later, the attacker submitted the pre-signed durable nonce transactions. Two transactions, four slots apart on the Solana blockchain, were enough to create and approve a malicious admin transfer, then approve and execute it.

Within minutes, the attacker had full control of Drift's protocol-level permissions. They used that control to introduce a fraudulent withdrawal mechanism and drain the vaults.

What was taken and where it went

Onchain researchers tracked the fund flows in real time. The breakdown of stolen assets, compiled by security researcher Vladimir S., totaled roughly $270 million across dozens of tokens.

The largest single category was $155.6 million in JPL tokens, followed by $60.4 million in USDC, $11.3 million in CBBTC (Coinbase wrapped bitcoin), $5.65 million in USDT, $4.7 million in wrapped ether, $4.5 million in DSOL, $4.4 million in WBTC, $4.1 million in FARTCOIN, and smaller amounts across JUP, JITOSOL, MSOL, BSOL, EURC, and others.

The primary drainer wallet was funded eight days before the attack via NEAR Protocol intents but remained inactive until execution day. Stolen funds were transferred to intermediary wallets that were funded just the day before via Backpack, a decentralized crypto exchange that requires identity verification, potentially giving investigators a lead.

From there, funds moved to Ethereum addresses via Wormhole, a cross-chain bridge. Those Ethereum addresses had been pre-funded using Tornado Cash, the sanctioned privacy mixer.

ZachXBT, a prominent onchain investigator,notedthat over $230 million in USDC was bridged from Solana to Ethereum via Circle's CCTP (Cross-Chain Transfer Protocol) across more than 100 transactions.

He criticized Circle, the centralized issuer of USDC, for not freezing the stolen funds during a six-hour window after the attack began around noon Eastern time.

The attack was also reminiscent of recent social engineering attempts, using tactics similar to those seen before, according to asocial media postby a user who goes by 'Temmy.' "we've seen this before. we've seen this so many times," the user said.

"bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code. ronin bridge. $625 million. compromised validator keys. same story. cetus protocol. $223 million. different method but same result. hundreds of millions gone." the post said.

What was not compromised

What failed was the human layer around the multisig. Durable nonces allowed the attacker to separate the moment of approval from the moment of execution by more than a week, creating a gap in which the context of the signed document no longer matched the context in which it was used.

All deposits into Drift's borrow-and-lend products, vault deposits, and trading funds are affected. DSOL tokens not deposited in Drift, including assets staked to the Drift validator, are unaffected. Insurance fund assets are being withdrawn and safeguarded. The protocol has been frozen, and the compromised wallet has been removed from the multisig.

As such, this is the third major exploit in recent months that did not involve a code vulnerability. Social engineering and operational security failures, rather than smart contract bugs, are increasingly how money leaves DeFi protocols.

The durable nonce vector is particularly dangerous because it exploits a feature that exists for good reason and is difficult to defend against without fundamentally changing how multisig approvals work on Solana.

The open question, which Drift's forthcoming detailed postmortem will need to answer, is how two separate multisig members approved transactions they did not understand, and whether any tooling or interface changes could have flagged durable nonce transactions as requiring additional scrutiny.

Read more:North Koreans hackers likely behind $286 million Drift Protocol exploit