Cyrus Younessi co-founded Drift Protocol in 2021 and spent four years turning it into the largest perpetuals DEX on Solana, with around $550 million in TVL at the peak. On April 1, 2026, a North Korean threat actor drained $286 million from the protocol's vaults after a six-month social engineering operation that Younessi later described as the most sophisticated attack he had ever seen pointed at a single team. TVL has since collapsed to roughly $250 million, and Younessi is now spending most of his waking hours trying to convince users to stay.
The response so far has been more transparent than what most other DeFi teams have offered after similar drains, but the math is brutal. Around 75% of the stolen funds were laundered through privacy mixers within 72 hours and are effectively gone. Drift's treasury can cover roughly 30% of the losses. The remaining haircut is being distributed across user balances on a pro-rata basis, and a governance vote on a full "Drift 2.0" relaunch is scheduled for late June 2026. How Younessi handles the next eight weeks will decide if Drift survives as a protocol or joins the long list of post-hack ghost towns.
From MakerDAO Risk to Solana's Biggest Perp DEX
Younessi spent the years before Drift on the risk team at MakerDAO, which at the time was the largest decentralized lending protocol in DeFi. His job was modeling how the DAI stablecoin would behave under stress, and he was part of the team that built the response to the Black Thursday crash on March 12, 2020, when ETH collapsed 50% in a single day and MakerDAO's liquidation engine partially failed.
The Black Thursday experience is the part of his resume that matters most for understanding how he is handling the current crisis. He spent months helping MakerDAO design the surplus auction system that recapitalized the protocol after roughly $4 million in unbacked DAI ended up in circulation. The playbook he is using at Drift right now, with treasury commitments, a governance vote, and a partial socialized haircut, is closer to the MakerDAO recapitalization than to what most newer DeFi teams have tried after a drain.
Younessi left MakerDAO in 2020 and started building Drift the following year with co-founder David Lu. The pitch was specific. Solana had finality measured in hundreds of milliseconds and gas costs measured in fractions of a cent, which meant a perpetuals venue with a real central limit order book could run fully on-chain for the first time. Most other on-chain perp protocols were either AMM based, like the early versions of dYdX, or running their matching off-chain.
Drift raised $24 million in a 2021 round led by Polychain Capital and shipped V1 the same year. V2 launched in 2022 with a hybrid liquidity model that combined an on-chain order book, AMM-style passive liquidity, and an oracle-based pricing engine. By the end of 2025, Drift was responsible for around 45% of all perp volume on Solana and was running ahead of every competing on-chain venue except for the largest cross-chain players.
What Actually Happened on April 1
The April 1 drain was not a smart-contract exploit. The contracts were not bypassed and the vault math was not broken. The attacker compromised a senior Drift engineer through six months of cultivated social contact that ran across a fake job interview process, a series of project collaborations on a competing protocol, and eventually a malicious dependency installed on the engineer's development laptop. The dependency exfiltrated the keys to a hot wallet that held administrative permissions over the insurance fund and a portion of the vault routing logic.
Once the attacker had the keys, the actual drain took less than 11 minutes. They drained the insurance fund first, then forced unprofitable trades against the vault to drain trader balances, then rotated the proceeds through three separate privacy mixers across Solana, Ethereum, and Tron. The on-chain investigation that followed traced the wallet clusters back to Lazarus Group, the North Korean state-sponsored group also responsible for the 2022 Ronin hack and a string of more recent CEX intrusions.
Younessi posted a full incident report within 36 hours and gave a one-hour Discord AMA the same week where he refused to dodge any question. That posture is unusual and it is the main reason Drift still has any user base left. Most teams in his position have hidden behind PR statements and lawyered responses.
The Recovery Plan Versus Comparable Hacks
The plan Younessi laid out in late April runs in three stages, and it borrows pieces from several past responses.
The first stage is direct treasury coverage. Drift Labs committed around $85 million from its operating treasury to user reimbursement, which covers roughly 30% of the loss. The treasury came from the 2021 raise and four years of accumulated protocol fees. The decision to use it all rather than preserve runway for operations is closer to the Aaveresponse after the November 2022 CRV liquidation incident than to most other hack responses.
The second stage is a socialized haircut. After the treasury contribution, the remaining shortfall is around $200 million, which is being spread across user balances on a pro-rata basis. Holders of larger positions absorb a larger absolute haircut but the same percentage hit. The current draft has the haircut sitting at around 38% of remaining user balances, with the exact number depending on which assets the user held and how the insurance fund subrogation works out.
The third stage is the governance vote on Drift 2.0. The proposal restructures the protocol around a new insurance fund design that splits administrative permissions across a multisig with hardware-enforced quorum, eliminates any single hot wallet with vault-routing permissions, and introduces a fee redirect that sends 50% of protocol revenue to a recovery pool until the original haircut is repaid in full. The vote opens in late June 2026.
For comparison, the Wormhole bridge hack of February 2022 ($326M) was made whole by a single direct injection from Jump Crypto, which had no governance component and concentrated all of the cost on one firm. The Mango Markets exploit of October 2022 ($117M) ended in a clawback negotiated with the attacker, who returned around 80% in exchange for legal indemnification that later collapsed in court. The Euler Finance hack of March 2023 ($197M) ended in a full white-hat recovery after the attacker returned funds voluntarily. Drift has none of those exits available because the funds are mixed and the attacker is a state actor.
What User Trust Looks Like After a State-Actor Hack
The question Younessi is now answering in every interview is if user trust can actually be rebuilt after a North Korean drain. The honest answer from the historical data is mixed. Mango Markets never recovered its pre-hack TVL and is now a fraction of what it was. Wormhole is still operating but has never returned to its 2021 prominence. Euler did recover meaningfully after the white-hat negotiation and is roughly back to 70% of its pre-hack levels.
The variables that have predicted recovery in past cases are speed of response, fullness of disclosure, and the size of the eventual user haircut. Drift is scoring well on the first two and badly on the third. A 38% haircut on user balances is large enough that most retail traders will move to a competing venue regardless of how transparent the response is.
What Younessi has going for him is the broader Solana perp ecosystem, which is still growing. The pie is expanding faster than Drift's share is shrinking, and a relaunch under the Drift 2.0 design could capture flow from new users who never held a position during the original drain. That is the bet the team is making, and it is closer to a five-year bet than a five-month bet.
Frequently Asked Questions
Was the Drift hack a smart contract bug?
No. The Drift contracts were not exploited at the code level. The attacker compromised an engineer's development environment through six months of social engineering, exfiltrated administrative keys to a hot wallet, and used those keys to drain the insurance fund and vault balances. The fix involves operational security and key management, not contract changes.
How much will users actually lose?
Around 38% of remaining user balances based on the current draft of the Drift 2.0 recovery proposal. The exact number depends on which assets the user held at the time of the freeze and how the subrogation against the insurance fund settles, but anyone with a balance during the drain should plan for a haircut in that range.
Is North Korea actually responsible?
Multiple independent on-chain forensics firms have traced the laundering wallets back to clusters previously attributed to Lazarus Group, the North Korean state-sponsored hacking unit. The same group has been linked to the Ronin, Atomic Wallet, and several CEX intrusions in the past three years. The attribution is not in serious dispute inside the security community.
Will Drift survive this?
It depends almost entirely on the June governance vote and on how quickly the Drift 2.0 contracts pass an external audit. Past comparable hacks have produced a range of outcomes from full recovery to slow death, and the variables that predict survival are response speed, disclosure quality, and treasury depth. Drift is doing well on the first two.
Bottom Line
Cyrus Younessi spent four years building the dominant perp venue on Solana and is now spending his fifth trying to keep it alive after the largest state-actor hack of 2026. His response so far, treasury commitment, full disclosure, and a structured governance vote, is closer to the MakerDAO recapitalization playbook he helped write than to the public-relations posture most DeFi teams default to after a drain.
Watch the late-June Drift 2.0 vote and the subsequent audit timeline. If both pass cleanly and the user haircut settles near the 38% target, the protocol has a real path back. If either slips, the slow death scenario becomes the base case and Solana perp flow rotates permanently to the next venue down the leaderboard.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
