Drift Exploiter Swaps $270M, Buys $82.7M in ETH

Ethereum$1,687.05 caught a forced bid from the worst kind of buyer. Earlier today, Lookonchain flagged a suspected exploit at Drift Protocol$0.042, saying more than $270 million in assets had been moved suspiciously to Solana$79.10 wallet HkGz4K...pZES. ^[1] A few hours later, the on-chain tracker said the exploiter had already begun rotating the haul, swapping into USDC$1.0002, bridging to Ethereum, and buying ETH. At the time of that post, Lookonchain said 19,913 ETH, worth about $42.6 million, had been accumulated. A later update pushed that figure to 38,820 ETH, or roughly $82.66 million. ^[1]

That flow matters because it shows the attack moving beyond the theft phase and into monetization. Converting stolen assets into USDC reduces price risk and simplifies bridge transfers. Moving that capital onto Ethereum and into ETH gives the exploiter access to deeper liquidity, along with a more flexible asset for further transfers, collateralization, or eventual off-ramping. For traders, it is a reminder that spot demand is not always bullish demand. Sometimes it is just laundering pressure wearing a green candle.

Drift itself confirmed the situation was active, not rumor. The protocol said it was observing "unusual activity," told users not to deposit, and warned that funds were still at risk. Drift also urged users to secure their funds by migrating positions. That makes this more than an isolated wallet story. It is an active protocol incident with user exposure still in play, not just a post-mortem on stolen funds. ^[2]

Phantom moved quickly on the wallet side. The Solana wallet provider said it was investigating and added a required warning for users trying to access Drift, with an acknowledgement step for anyone who still wanted to proceed. That is a small but important containment measure. When an exploit is still unfolding, UX friction can be a security tool. ^[3]

The market response in DRIFT has been messy, and this time it has been expressive. On MEXC, DRIFT traded around $0.0483, down roughly 29 percent over 24 hours, with an intraday range from $0.047 to $0.0728 and volume near $830,500. That kind of drawdown, combined with a wide trading range and still relatively modest volume, suggests the market is repricing the incident in real time rather than digesting it calmly. It also means token action may still be understating the full protocol-level damage until users get clearer information on losses, recoverability, and whether bad debt sits elsewhere in the stack.

A couple of substantive replies under Lookonchain's post highlighted the key operational risk. One noted that buying 38,000 ETH in a matter of hours pointed to extremely fast execution and argued Circle would need to freeze USDC quickly to slow further bridging. Another raised the obvious next question: what happens to the remaining $100 million-plus in USDC reportedly still tied to the flow? Those are the two pressure points now: issuer intervention and the pace of the attacker's remaining conversion. ^[1]

There is also a cross-chain lesson here. The exploit path appears to run from a Solana-native protocol, through stablecoin conversion, into Ethereum liquidity. That is exactly why bridge and stablecoin chokepoints matter during incident response. If funds are still in USDC, there may still be options. If they keep getting converted into ETH and dispersed, recovery odds usually deteriorate quickly.

The Watchlist from here is simple: additional Drift disclosures on user losses and protocol solvency, any sign of Circle action on associated USDC, and whether Lookonchain or other on-chain analysts show the remaining funds still sitting in stablecoins or continuing to rotate into ETH. For the market, this is not clean bullish flow. It is stolen capital looking for an exit.