Drift Seeks Hacker Contact After $280M Exploit

Drift is seeking contact with the hacker behind a $280M exploit, shifting from incident acknowledgment to direct on-chain outreach while recovery hopes remain conditional and attribution work is still unfinished.

What Drift Actually Said to the Exploiter Wallets

The outreach happened on Ethereum, not Solana: at 05:20:59 UTC on April 3, 2026, the tagged sender “Drift: Team Wallet” used an Ethereum transaction to send an input data message to “Drift Exploiter 1.”

In that on-chain message, Drift wrote, “We are ready to speak. Please reach out via Blockscan chat.”

The same transaction note identified four ETH wallets holding stolen funds and said the protocol would share more updates after third-party attributions were completed.

Cointelegraph reported on April 3, 2026 that outside firms were estimating losses at about $280 million to $286 million when Drift opened that contact channel.

That does not prove negotiations are underway. It does show Drift has moved from acknowledging the breach to making a public, traceable contact attempt on the chain where investigators are following the stolen Ether.

Why Direct Outreach Could Help Recovery Efforts

Public outreach can matter because it creates a response channel without overstating what has been achieved. In a TRM Labs incident analysis, the firm said attackers drained about $285 million on April 1, 2026 in roughly 12 minutes before most of the funds were bridged to Ethereum within hours.

That chain migration helps explain why Drift used Ethereum for the message: if the stolen assets are being watched there, Ethereum-based monitoring and communication become central to any recovery push.

The move also fits a broader post-exploit pattern in which teams combine tracing, public pressure and a possible negotiation channel, a backdrop that looks more serious in a year already shaped by the losses covered in Crypto Hackers Steal $168M From DeFi Protocols in Q1 2026.

Still, the outreach should be read as an attempt to open communication, not evidence that a deal exists. Drift’s own note said more updates would follow after third-party attributions were completed, signaling that tracing work is still running in parallel with any recovery effort.

Why Markets May Stay Cautious Despite the Message

TRM Labs described the breach as the largest DeFi hack of 2026 and the second-largest exploit in Solana history after Wormhole, which explains why a single message has not been enough to reset confidence.

TRM’s suggestion that North Korean actors were likely involved remains preliminary security-firm analysis rather than a confirmed public finding, so the safest read is that attribution is still open even as tracing firms keep working.

Markets have already signaled that caution. CoinMarketCap’s April 2, 2026 market reaction write-up linked the exploit to a roughly 4% to 5% decline in SOL over the previous day, showing that reputational damage spread beyond Drift itself.

That distinction between confirmed evidence and pending claims matters across crypto coverage, not just here, which is why the same evidence-first discipline underpins our OKZOO (AIOT) Transparency Snapshot: Contract Facts, Holder Concentration, and Security Labels and Ozak AI Transparency Tracker: What Is Confirmed, What Is Still Pending.

Drift’s message gives the market a verified sign of active response. It does not mean the stolen funds will be returned, and the balance between recovery hopes and reputational risk for Drift and the wider Solana ecosystem will stay unresolved until investigators produce firmer attribution or wallet movements change the picture.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.