The attack began at approximately 03:14 UTC on April 19, 2026. The exploit's on-chain signature is, in the Bureau's assessment, the most sophisticated DeFi attack to target the Solana ecosystem to date.

Drift's Security Council, a multisig with elevated permissions over the protocol's upgrade authority and emergency pause mechanisms, was protected by what its designers considered a hardened multi-party signing scheme. The attacker did not break the multisig. Instead, the attacker exploited Solana's durable nonce feature — a primitive intended to allow transactions to be pre-signed and executed at a later time — to construct a chain of pre-signed transactions that, when executed in a specific sequence, granted attacker-controlled keys signing authority over the Security Council itself.

Once authority was transferred, the rest was mechanical. The attacker upgraded the Drift program to a malicious version, drained protocol-owned liquidity into a series of intermediate wallets, and began routing funds through Wormhole into Ethereum, where they were dispersed across approximately 40 wallets and a series of cross-chain bridges within four hours.

Elliptic's analysis, shared with the Bureau under standing information-sharing protocols, identifies several on-chain markers consistent with Lazarus Group's established playbook: the specific bridging cadence, the wallet-funding tree structure preceding the attack by approximately 11 days, and the use of two intermediary mixing services known to the Bureau as historically Lazarus-affiliated.

The Bureau notes that attribution to a state actor does not, by itself, change the on-chain reality of the exploit, but it does meaningfully change the prospects for recovery. Funds that move through Lazarus-aligned infrastructure are, in the Bureau's historical experience, recovered at rates well below 5%.

Drift's team has issued a statement acknowledging the exploit, confirming the rough magnitude of the loss, and announcing the temporary suspension of new deposits while the protocol is re-deployed under a new program ID with the durable nonce attack surface fully closed. The team has not committed to a full user reimbursement, and the Bureau has not received any indication that one is forthcoming.

The Bureau is reviewing every Solana protocol with a Security Council pattern resembling Drift's for similar exposure, and will be issuing a formal advisory to Solana DeFi teams within the week. The Bureau's preliminary guidance: assume durable nonces are part of your attack surface until you have explicitly proven otherwise.

“Assume durable nonces are part of your attack surface until you have explicitly proven otherwise.” — Bureau Advisory · On-Chain Forensics Engineering Division