|

Is Your Crypto Funding Pyonyang? Inside Solana-Based Drift Protocol $286 Million Exploit

Blockchain analytics agency Elliptic says the $286 million exploit of Solana-based Drift Protocol is almost certainly linked to the Democratic People’s Republic of Korea (DPRK).

Solana Suffered One Of The Largest Crypto Exploits In History

On April 1st, the DEX Drift Protocol suffered a significant exploit that drained virtually $300 million {dollars} in crypto property from its core vaults. The change reported on it on its official X account because it was nonetheless present process:

The raid unfolded in below 20 minutes, with roughly $286 million siphoned off throughout a basket of property from shut to twenty vaults. Drift is the biggest decentralized perpetual futures change on Solana. This is the largest crypto exploit seen thus far in 2026 and ranks among the many largest on file, edging out the $235 million WazirX breach.

Drift’s whole worth lock (TVL) collapsed from roughly $550 million to below $250 million after the assault. The crew’s emergency response consisted of pausing deposits and withdrawals and coordinating with safety corporations and exchanges.

The protocol shared the main points of the incident afterward, claiming it was a “a extremely subtle operation that seems to have concerned multi-week preparation and staged execution”. Beyond that, the change’s official channels kept away from attributing tasks.

Now, the analytics firm Elliptic has released an investigation claiming the on‑chain habits, laundering strategies, and community‑degree indicators match the methods seen in prior DPRK‑linked operations, making this not simply one other DeFi rug, however a suspected state‑sponsored assault.

The North Korean Hackers Strike Again

Ledger CTO Charles Guillement additionally linked Drift’s assault methodology to Bybit’s $1.4 billion hack, which was attributed to North Korean hacking teams. NewsBTC’s sister website Bitcoinist reported on this yesterday.

According to Elliptic, the attacker seemingly compromised Drift’s administrator non-public keys, gaining privileged management over withdrawals and key parameters. The assault systematically drained three primary vaults: JLP Delta Neutral, SOL Super Staking and BTC Super Staking, together with a single $41.7 million JLP switch price about $155 million.

Elliptic traced the stolen funds and concluded that the attacker created the pockets roughly eight days earlier than the exploit and even acquired a small take a look at switch from a Drift vault. This suggests a pre‑deliberate, staged operation fairly than a smash‑and‑seize.

After the exploit was accomplished, the attacker used Jupiter, a Solana DEX aggregator, to swap the stolen tokens into USDC, bridged funds to Ethereum, after which rotated into ETH and different property throughout a number of wallets.

Such cross‑chain laundering patterns, obfuscation strategies, and community‑degree indicators match methods seen in prior DPRK‑attributed assaults, Elliptic claims. If formally confirmed, this is able to be the 18th such operation with over $300 million stolen already.

Confirmed or not, there isn’t any denying that state‑linked actors are systematically focusing on liquidity‑wealthy crypto protocols to fund North Korea’s weapons applications. Let’s not neglect that the North Korea‑affiliated Lazarus Group has funneled billions of {dollars} in stolen cash by cryptocurrency networks.

Elliptic has already clustered all attacker‑linked token accounts on Solana and Ethereum so exchanges and protocols can display in opposition to contaminated funds in close to actual time.

The hack will seemingly harden scrutiny of Solana DeFi governance, admin key design, and multisig safety, even because the ecosystem continues to chase institutional‑grade perps liquidity.

Cover picture from Perplexity. SOLUSD chart from Tradingview.

Similar Posts