Wallets & Security · DeFi · Market Intelligence
Drift Protocol Hack (2026): What the £220 Million Exploit Reveals About Crypto Custody Risks
On 1 April 2026, Drift Protocol — a Solana-based decentralised exchange — lost approximately $280 million (around £220 million) in the largest single crypto theft of the year. There was no bug in the smart-contract code. The failure was in governance: two of five multisig signers were socially engineered into approving transactions they did not fully understand. This article explains what happened, why it matters for UK investors, and what practical steps reduce your personal exposure.
- £220 million drained on 1 April 2026 via governance key compromise
- No smart-contract flaw — the attack exploited human and process failures
- On-chain behaviour consistent with DPRK-linked actors (Elliptic analysis)
- Infrastructure attacks drove 76% of all crypto losses in 2025
Key facts
What happened at a glance
Incident summary · Drift Protocol · April 2026
| Date | 1 April 2026 |
| Platform | Drift Protocol (Solana-based DeFi) |
| Amount lost | $280 million (approximately £220 million) |
| Root cause | Governance key compromise — no smart-contract bug |
| Attack vector | Social engineering + pre-signed transactions via Solana durable nonce |
| Signers compromised | 2 of 5 multisig signers |
| Recovery status | Funds tracked on-chain; no significant recovery confirmed at time of writing |
| Attribution | On-chain behaviour consistent with DPRK-linked actors (Elliptic analysis) |
Background
What is Drift Protocol?
Drift Protocol is a decentralised exchange built on the Solana blockchain, primarily used for perpetual futures trading. Unlike a centralised exchange such as Coinbase or Kraken — which holds user funds in custodied accounts — Drift operates through smart contracts: code deployed on-chain that executes trades and manages collateral automatically, without a central company controlling the order book.
Users interact with Drift directly through their own wallets, and funds sit in the protocol's vaults rather than with a company. This structure — where control of the vaults is governed by a Security Council using a multisig approval process — is central to understanding how the hack worked, and why it succeeded.
The incident
What happened and how it worked
On 1 April 2026, Drift Protocol suffered the largest crypto theft of 2026 to date. Approximately $280 million was drained from the protocol's vaults in an attack that exploited governance processes rather than any flaw in the underlying smart-contract code.
Drift's post-mortem confirmed that a malicious actor gained unauthorised access to the protocol's Security Council — the group of signatories responsible for approving administrative governance decisions. Through social engineering and deliberate misrepresentation, the attacker convinced two of the five multisig signers to approve transactions that appeared routine but were not.
The technical mechanism used was Solana's durable nonce feature. Normally, a blockchain transaction must be broadcast and confirmed almost immediately or it expires. A durable nonce removes that expiry, allowing a transaction to be signed in advance and held indefinitely before being broadcast. The attacker used this to pre-sign governance transactions — potentially weeks or months before the exploit — then waited until two signers had approved them, without those signers necessarily understanding what they were approving, before broadcasting everything at once.
Once those pre-signed transactions were live, the attacker gained administrative control of the protocol, introduced a fraudulent collateral asset, removed withdrawal limits, and drained Drift's vaults before anyone could respond. Drift's own post-mortem was clear: there was no bug in the smart-contract code. The exploit was entirely a failure of governance key security and access control.
What this means
The Solana blockchain itself continued operating without fault. The smart contracts performed precisely as written. What failed was the human and organisational layer sitting above the code — the governance process that controlled who could change the rules. That failure was enough to drain £220 million in minutes. This is context, not advice.
Attribution
Who was responsible?
Blockchain analytics firm Elliptic and other researchers noted that the on-chain behaviour following the theft — the movement patterns, wallet structuring, and laundering methods — closely resembled previous attacks attributed to DPRK-linked actors. North Korean state-backed groups stole more than $2 billion in crypto during 2025 alone, according to TRM Labs. Attribution in blockchain forensics is probabilistic rather than certain, but the resemblance to known DPRK patterns was significant enough to be widely reported.
State-backed crypto theft at this scale is not an isolated phenomenon. Our overview of the most common crypto scams targeting UK investors covers how state-backed theft fits into the broader landscape of illicit activity affecting the sector globally.
TRM Labs' 2026 Crypto Crime Report found that in 2025, illicit actors stole $2.87 billion across nearly 150 hacks, with infrastructure attacks — compromises of keys, wallets and governance control planes — driving 76% of losses. January 2026 alone saw approximately $370 million stolen.
Recovery
Was any money recovered?
At the time of writing, Drift's funds remain largely unrecovered. On-chain analysts were able to trace the movement of stolen assets across multiple wallets, and blockchain intelligence firms flagged the addresses involved. Some exchanges froze wallets when flagged, which is standard practice following high-profile exploits. However, no significant portion of the £220 million had been returned or seized.
This is consistent with the pattern seen in previous large-scale DeFi hacks. On-chain traceability does not automatically translate into recovery, particularly when the attacker uses cross-chain bridges and privacy tools to fragment and obscure the funds. Tracing is not the same as seizing.
UK context
Why this matters to UK investors
Although Drift Protocol is based overseas, its services are accessible globally, meaning UK investors were almost certainly among those affected. The incident reinforces several points directly relevant under the UK regulatory regime.
Cryptoassets remain high-risk. The FCA is unambiguous that investing in cryptoassets carries very high risk and that consumers should be prepared to lose all their money. Unlike bank deposits or regulated investment products, cryptoasset holdings generally do not benefit from the Financial Ombudsman Service or the Financial Services Compensation Scheme. The FSCS has confirmed it cannot protect you if a platform holding your crypto fails. Our overview of the UK's crypto regulatory framework explains what FCA authorisation means in practice and what it does not cover.
Most UK holders rely on exchange custody. An FCA survey found that 72% of UK consumers keep their cryptoassets with the trading platform they bought them from. These platforms are frequently based overseas and, unlike UK banks, are not currently subject to specific mandatory custody rules. How Coinbase UK and Kraken UK handle customer custody is covered in our exchange reference guide. If a platform suffers a hack or collapses — as Celsius and FTX demonstrated — there may be no regulatory backstop.
Self-custody carries its own risks. The FCA's draft custody guidance acknowledges that holding your own private keys gives full control but is complex and high-risk: if you forget or lose your keys, those assets are permanently irrecoverable. Survey data shows that 9% of UK crypto holders have already lost wallet access through forgotten credentials. Our guide on why self-custody matters and how to approach it safely covers the practical steps involved.
Infrastructure attacks are now the dominant threat. Smart contracts themselves are no longer the primary attack surface — the humans and processes controlling them are. That shift has direct implications for how UK holders should think about where their assets sit and who controls the keys.
The core lesson
What determines your actual exposure to a hack is not which blockchain your assets live on — it is who controls the keys, how transactions are approved, and what safeguards exist between a compromised credential and a drained wallet. Custody arrangements are the question worth asking before depositing funds anywhere. This is context, not advice.
Pattern recognition
Custody is the weakest link
The Drift exploit follows a pattern visible across nearly every major crypto theft of the past three years. The underlying blockchain — in this case Solana — continued operating exactly as designed. The smart contracts performed precisely as written. The failure was human and organisational: a governance structure with too low an approval threshold, no time-lock on administrative transactions, and a social-engineering vulnerability in the signer approval process.
Drift's own post-mortem explicitly identified the absence of a time-lock as a contributing factor. A mandatory delay — even 24 hours — on any governance action affecting withdrawals or vault access would have created a window for the anomaly to be detected and reversed. That window did not exist.
The same principle applies at every level of the ecosystem, from large DeFi protocols to individual exchange accounts. The question is always: what stands between a compromised credential and a drained wallet?
Practical steps
What UK investors can do today
None of the following steps eliminate risk entirely, but each addresses a specific and documented vulnerability.
Move long-term holdings to cold storage
A hardware wallet stores your private keys offline, removing them from any internet-connected environment and eliminating remote access as an attack vector. For assets you intend to hold for months or years, this is the single most impactful security step available. Our guide to Ledger vs Trezor and our overview of hardware wallet options beyond Ledger and Trezor cover the choices available to UK users.
Split holdings across custody methods
Keep only what you need for active trading on an exchange, and withdraw the remainder to cold storage when you are not actively using it. Spreading assets across custody types limits the damage any single compromise can cause.
Enable multi-factor authentication everywhere
Protect exchange and wallet accounts with strong MFA. Hardware security keys such as YubiKey or app-based authenticators are significantly more resistant to interception than SMS codes, which can be compromised through SIM-swapping.
Verify addresses and contracts before every transaction
Bookmark official websites rather than following links from emails or social media. Before sending funds or interacting with a protocol, confirm the contract address on a reputable block explorer. This single habit eliminates a large proportion of phishing and address-substitution attacks. Our guide to the most common social engineering tactics used against UK crypto holders covers how these attacks are structured.
Be sceptical of high-yield DeFi protocols
Outsized returns in DeFi often come with outsized governance and smart-contract risk. Before depositing funds into any protocol, check whether it has been independently audited, how long it has been running without incident, and what its governance structure looks like. Treat anonymous or unaudited protocols as high-risk regardless of the stated yield.
Platform standards
What exchanges and protocols should be doing
The Drift incident illustrates structural weaknesses that responsible platforms should be actively addressing. The following measures are not novel — they are established best practices that too few protocols implement rigorously. UK investors can use these criteria as a basic due-diligence checklist when assessing any platform before depositing funds.
| Control | What it means | Drift's gap |
|---|---|---|
| Multi-signature with meaningful thresholds | Governance of material funds requires higher consensus, with geographically and organisationally independent signers | 2-of-5 threshold — too low for protocol-wide consequences |
| Time-locks on administrative transactions | Any action affecting withdrawals, collateral rules or vault access subject to a mandatory 24–72 hour delay before execution | No time-lock — explicitly cited in post-mortem as contributing factor |
| Real-time anomaly detection | Unusual patterns — large withdrawals, new collateral assets, limit changes — trigger automatic freezes pending human review | No automated freeze triggered before funds were drained |
| Proof-of-reserves and independent audits | Regular independent audits of smart contracts, custody infrastructure and bridging code, with public reporting | Audit history limited; governance audit not current |
| Emergency SAFU fund | Ring-fenced reserves maintained to compensate users in the event of catastrophic loss | No publicly disclosed SAFU fund of sufficient scale |
The FCA is currently consulting on custody standards for cryptoassets as part of its broader phased regulatory regime. Its draft guidance acknowledges that there is currently no UK regulation setting minimum standards for crypto custodians. Until a full authorisation regime is in place, users must take responsibility for their own security posture.
Different perspectives
A calm note for different audiences
Hacks at this scale are alarming to read about, but they are not a reason to panic-sell. The underlying blockchains continued operating without interruption. What failed here was a governance process. The practical takeaway: use a hardware wallet for long-term holdings, enable strong authentication on every account, and follow official channels before taking any action in response to a security incident.
Review your exposure to DeFi protocols with low governance thresholds or no published audit history. Consider whether your custody arrangement for significant holdings is appropriately distributed — a single exchange or a single hardware wallet is a single point of failure.
Large balances attract targeted attacks, including the social-engineering campaigns that compromised Drift's signers. Multi-signature wallet arrangements with independent co-signers, cold storage vaults and — at sufficient scale — professional custodians with insurance coverage are worth the additional complexity.
Crypto hacks reflect poor security practices, not an inherent flaw in blockchain technology. The technology performed as designed. Sensible precautions — offline storage, strong authentication, vigilance about what you sign — dramatically reduce personal risk.
Regulatory context
How this connects to custody rules in the UK
The FCA is currently consulting on custody standards for cryptoassets as part of its broader phased regulatory regime. Its draft guidance acknowledges that there is currently no UK regulation setting minimum standards for crypto custodians — meaning that until a full authorisation regime is in place, users must take responsibility for their own security posture. Our overview of the FCA's evolving custody regime and the FSMA timeline covers where the rules currently stand and what changes are coming.
The Drift incident will almost certainly be referenced in regulatory discussions about what adequate governance controls look like for UK-facing platforms. Whether or not UK investors were directly affected, the case makes a compelling argument for the FCA's position that stronger, binding custody standards are overdue.
Current protection gap
There is currently no UK regulation setting minimum standards for crypto custodians. The FSCS cannot protect you if a crypto platform fails. The FCA's full authorisation regime, including mandatory custody rules, is not expected to be fully in place until 2027. Until then, custody decisions rest entirely with the individual investor.
The Noctis view
What the Drift incident means for the wider picture
Global crypto thefts exceeded $2.87 billion in 2025. The £220 million Drift exploit arrived in the first week of April 2026 and immediately became the year's largest single incident. These figures are significant, but what matters most for individual UK investors is not the aggregate number — it is the specific, preventable failure modes each incident exposes.
Drift lost £220 million not because Solana failed, not because its smart contracts were flawed, but because two people approved transactions they did not fully understand, and because there was no time-lock to create space for a second look. That is a governance and process failure. It is also, unfortunately, representative of how most large crypto thefts happen today.
Cold storage, strong authentication, cautious assessment of governance structures, and an honest understanding of what the FCA's current regulatory perimeter does and does not cover — these are not advanced strategies. They are the baseline. The Drift exploit is a reminder of what happens when that baseline is not in place.
Related reading
Further research on custody and security
The wallet series covers self-custody in detail, from hardware wallet selection to hot wallet integration and scam prevention.