Drift Protocol hacker transfers 129k ETH, stealing funds and laundering across chains

On April 2, on-chain monitoring firm EmberCN confirmed that all of the assets stolen by the hacker from the Drift Protocol have been fully exchanged for approximately 129k ETH (about $278 million). Previously, the attack occurred on April 1, when the hacker stole more than $270 million from the Drift Protocol liquidity pool in under an hour.

Attack scale: A single-transaction loss breaks the 2026 DeFi security record

The losses from the Drift Protocol stand out as an unusually large figure among DeFi security incidents in 2026. Since January of this year, 15 DeFi protocols have collectively lost more than $137 million, while the Drift single-incident loss alone reached $285 million—about twice the above cumulative amount—and far exceeded the previous single-largest loss record of $27.3 million, representing roughly a tenfold increase.

The attack was completed in less than an hour, and the speed made it nearly impossible to recover funds immediately. By the time the vulnerability was detected and the treasury entered its protection procedure, most of the assets had already been transferred through multiple layers of technical methods. The overall DeFi recovery rate in 2026 is below 7% ($9 million recovered out of $137 million). Industry analysts are highly pessimistic about the chances of funding recovery in this incident.

Where the funds went: Cross-chain transfer routes and current holding addresses

(Source: Arkham)

According to monitoring by EmberCN, the hacker transferred the stolen assets to Ethereum via a cross-chain bridge, and uniformly converted them to ETH to sever the trail of the original funds. After conversion, the approximately 129k ETH is currently distributed and stored across the following four Ethereum addresses:

· 0xAa843eD65C1f061F111B5289169731351c5e57C1

· 0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674

· 0xbDdAE987FEe930910fCC5aa403D5688fB440561B

· 0xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C7

Distributing funds for storage is a standard post-processing method for large-scale DeFi theft cases. The goal is to reduce the overall risk of funds being frozen and to increase the technical difficulty of on-chain tracking. Analysts noted that this operation pattern matches the characteristics of a mature money-laundering process rather than a simple misrouting of funds, meaning the likelihood of funds being recovered is extremely low.

After-the-fact impact: A chain reaction from a liquidity crisis

The direct loss caused by this attack was a severe depletion of liquidity. Large-scale outflows of capital would drive Drift Protocol’s total value locked (TVL) to drop sharply. As the liquidity pool shrinks, trading slippage increases, capital efficiency decreases, and trading volume and fee revenue are compressed.

This kind of chain reaction is prone to forming a negative feedback loop: falling trading volume weakens liquidity incentives, prompting more market makers to withdraw, which further worsens liquidity. Drift Protocol’s governance team’s top priority right now is to formulate a capital restoration path, present a plan for patching the vulnerability to the market, and stabilize users’ confidence in their existing positions. From a more macro perspective, this incident will increase regulatory scrutiny across the entire DeFi industry and prompt developers to re-examine the security standards for smart contracts.

Common questions

Is it possible to recover the $285 million stolen from Drift Protocol?

According to on-chain analysis, the hacker has already carried out multi-layer transfers of the funds via cross-chain bridges and stored the ETH across four different addresses. This is a typical money-laundering route, with an extremely high technical difficulty for recovery. With the overall DeFi recovery rate in 2026 below 7%, the industry generally believes that the hope of recovering funds from this incident is slim.

Why did the hacker choose to convert the stolen assets into ETH?

ETH is the most liquid asset in the Ethereum ecosystem, making it convenient for further cashing out via over-the-counter (OTC) trades or decentralized exchanges. Cross-chain transfer to Ethereum also increases the difficulty of tracking, helping to cut off the direct linkage between the original attack addresses and the final funds. This is the standard post-processing route for large-scale DeFi theft cases.

What warning does this incident carry for DeFi’s security ecosystem?

The scale of Drift Protocol’s single-incident loss exceeds the cumulative losses of the first 15 DeFi incidents before 2026, highlighting systemic risks arising from security vulnerabilities at the protocol layer. This incident could push the industry to accelerate upgrades to smart contract audit standards and to implement more stringent monitoring mechanisms for anomalous behavior in highly liquid protocols.