Drift Protocol Follow-Up: Team Sends On-Chain Messages Addressing Exploit Wallet Links

TLDR

• Drift has dispatched on-chain messages to four Ethereum wallets associated with the stolen funds.
• The communications originated from the wallet 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105.
• Drift stated that individuals connected to the exploit have been identified.
• The protocol indicated the attack utilized durable nonce transactions.
• Drift is collaborating with security companies, exchanges, and law enforcement.

---

(SeaPRwire) –   The Drift Protocol has announced it sent on-chain messages to four Ethereum wallets it believes are holding assets from its recent security breach, as part of its ongoing response. In a public statement, the team reported that vital information regarding parties involved in the exploit has been identified and that it is prepared to engage in dialogue via Blockscan chat. The communication was initiated from the wallet address 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105.

Drift identified the four wallet addresses as 0xAa843eD65C1f061F111B5289169731351c5e57C1, 0xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C7, 0xbDdAE987FEe930910fCC5aa403D5688fB440561B, and 0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674. The protocol also released the timestamps for the messages, which were sent on April 3, 2026, between 05:17:23 AM UTC and 05:25:11 AM UTC. Further updates will be provided once external attribution efforts are finalized, the team noted.

Critical information of parties related to the exploit have been identified. Drift is now sending an on-chain message from 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105 to the ETH Wallets that holds the stolen funds.

Wallet 1: 0xAa843eD65C1f061F111B5289169731351c5e57C1 (Timestamp…

— Drift (@DriftProtocol) April 3, 2026

This recent announcement follows Drift’s disclosure that a malicious actor obtained unauthorized access to the protocol via a novel method involving durable nonces. The company reported that the breach enabled a swift seizure of the Drift Security Council’s administrative authority. Drift characterized the operation as appearing to involve several weeks of preparation and a phased execution.

Drift Details Attack Method and Security Breakdown

In previous statements, Drift explained that the intrusion was made possible by pre-signed durable nonce transactions, which permit execution after a delay. The incident also involved compromised approvals from several multisig signers, potentially due to targeted social engineering or misrepresented transactions, the company added. Drift has not attributed the exploit to a flaw in the smart contract code itself.

The protocol initially alerted users on April 1 about unusual activity and recommended against making deposits during the investigation. In subsequent updates on April 2, the company elaborated on how the attacker seemingly acquired control over administrative privileges. Drift clarified that durable nonce accounts allow pre-signed transactions to lie dormant until they are activated at a predetermined time.

The attack garnered significant attention in the cryptocurrency space for its combination of governance access, delayed transaction execution, and breached signer approvals. Public discussion highlighted the risks associated with multisig administration and the potential for signers to authorize transactions without full comprehension. Drift described the operation as sophisticated, suggesting the attacker spent weeks planning it.

Investigation Expands Across Firms and Platforms

Drift is working with various security firms to identify the incident’s root cause and track the movement of funds. The team is also coordinating with bridges, exchanges, and law enforcement agencies to freeze the stolen assets where feasible. Individuals with pertinent information are asked to contact hello@drift.trade as the probe continues.

A comprehensive postmortem report has not yet been published, but a more detailed account is expected in the near future as more information is gathered. The public attempt to contact the four Ethereum wallets signifies a new stage in the response, showing the team’s effort to establish direct communication with the presumed holders of the stolen funds.

On-chain messaging is becoming a common tool in cryptocurrency investigations for initiating contact with wallet holders when off-chain details are unavailable. In this instance, Drift expressed its readiness to talk and encouraged recipients to reply using Blockscan chat. Publicly listing the wallet addresses and timestamps also serves to create an official record of this outreach effort.