Less than 48 hours after draining $285 million from Drift Protocol vaults, the attacker has consolidated nearly all stolen funds into a single asset: Ethereum. On-chain data tracked by Cointelegraph shows the wallet now holds 130,262 ETH worth approximately $267 million, as of April 2, 2026, making it one of the largest concentrated positions assembled this year.
From Solana Tokens to a $267 Million ETH Stack
The conversion happened fast. Within the first hours of the April 1 exploit, blockchain analysts flagged the attacker bridging assets from Solana to Ethereum and buying ETH in bulk. Early snapshots showed 19,913 ETH by 17:49 UTC, then 38,820 ETH by 18:17 UTC. The accumulation continued through the night.
The attacker's playbook was methodical. Stolen assets, which included 41.72 million JLP tokens ($155.6 million), 51.6 million USDC, 125,000 WSOL ($10.45 million), and 164,349 cbBTC ($11.29 million), were swapped into USDC, bridged to Ethereum, and converted into ETH across multiple transactions. Some funds also moved through HyperLiquid and direct exchange deposits.
Now at 130,262 ETH, the attacker has converted roughly 94% of the stolen haul into a single token. At current prices (ETH trading at $2,043, down 4% in the past 24 hours), that position is worth $267 million.
Why the Concentration Matters
A wallet holding 130,262 ETH is not just large. It is large enough to distort markets. For context, ETH's 24-hour trading volume sits at approximately $20.4 billion. A $267 million position represents about 1.3% of daily volume, concentrated in a single entity that acquired it over roughly 36 hours.
The concern is not that the attacker will dump all at once, though that remains possible. It is that every movement from this wallet now triggers a chain reaction among traders, bots, and analysts watching the address. Any transfer to an exchange, any approval of a DEX router, any bridge transaction will be interpreted as a sell signal. The wallet itself has become a source of market volatility regardless of whether the attacker acts.
Cointelegraph noted the accumulation is "significantly impacting market volume," and the timing compounds the pressure. ETH is already down 4% over 24 hours, the Fear and Greed Index reads 27 (Fear), and BTC sits at $66,414 with a 2.9% decline. SOL, the native token of Drift's home chain, has dropped 4.8% to $79.23.
Drift Protocol's Response So Far
Drift Protocol suspended deposits and withdrawals immediately after detecting the breach, warning users to "proceed with caution until further notice." The team said it is coordinating with security firms, bridges, and exchanges to track and potentially freeze the stolen assets.
The DRIFT token has cratered. Trading volume spiked 198% to $22.15 million in the aftermath, almost entirely sell-side, and the token fell more than 20% with its market cap dropping to $31.27 million. The protocol's TVL collapsed from $309 million to as low as $24 million within minutes of the attack.
DeFi Development Corp., a publicly traded company, moved quickly to confirm it had no exposure to Drift Protocol.
No bounty offer has been publicly announced. The attacker has not been identified.
The Bigger DeFi Security Question
This is now the largest Solana ecosystem exploit since the $320 million Wormhole bridge hack in February 2022, and possibly the biggest DeFi hack of 2026 so far. The attack reportedly involved a compromised admin key and oracle manipulation, though Drift has not published a full technical post-mortem yet.
For users holding funds on any Solana DeFi platform, the incident is a reminder that protocol-level risk exists independently of personal key management. Self-custody cards protect against exchange insolvency, but they do not protect against smart contract exploits that drain protocol vaults before users can react.
The broader pattern is familiar. An attacker drains a protocol, converts to a liquid asset (usually ETH or stablecoins), and then faces the bottleneck: actually cashing out without getting frozen. Exchanges and bridge operators have been increasingly aggressive about flagging and freezing tainted addresses. Whether that happens before the Drift attacker moves remains the open question.
What Happens When 130,000 ETH Sits in a Hacker's Wallet
The immediate risk is a large, disorderly sell. If the attacker attempts to liquidate through DEXs, the slippage on a $267 million position would be severe. If they use centralized exchanges, the deposits would likely be flagged and frozen within minutes, assuming the exchanges are cooperating with Drift's security partners.
More likely, the attacker will attempt to obfuscate: splitting across wallets, using mixers or privacy protocols, converting to stablecoins in smaller batches. Each of these steps creates traceable on-chain events that analysts are already monitoring in real time.
For the broader market, the 130,262 ETH overhang adds to an already cautious environment. Until those funds move or are frozen, they represent latent selling pressure that every ETH trader must price in.
Overview
The Drift Protocol exploiter has converted nearly all of the $285 million stolen on April 1 into 130,262 ETH ($267 million), creating one of the largest concentrated positions on Ethereum. The wallet's sheer size means any movement will ripple through markets. Drift has suspended operations, its token is down over 20%, and the attacker has not been identified. Exchanges and security firms are watching the address, but no funds have been frozen or recovered yet.
