Blockchain analytics agency Elliptic says the $286 million exploit of Solana-based Drift Protocol is more than likely linked to the Democratic Folks’s Republic of Korea (DPRK).
Solana Suffered One Of The Largest Crypto Exploits In Historical past
On April 1st, the DEX Drift Protocol suffered a significant exploit that drained virtually $300 million {dollars} in crypto belongings from its core vaults. The alternate reported on it on its official X account because it was nonetheless present process:
Drift Protocol is experiencing an lively assault. Deposits and withdrawals have been suspended. We’re coordinating with a number of safety corporations, bridges, and exchanges to comprise the incident. This isn’t an April Fools joke. We’ll present further updates from this account as… https://t.co/03SRPq4fHj
— Drift (@DriftProtocol) April 1, 2026
The raid unfolded in below 20 minutes, with roughly $286 million siphoned off throughout a basket of belongings from shut to twenty vaults. Drift is the most important decentralized perpetual futures alternate on Solana. That is the largest crypto exploit seen to date in 2026 and ranks among the many largest on document, edging out the $235 million WazirX breach.
Drift’s complete worth lock (TVL) collapsed from roughly $550 million to below $250 million after the assault. The staff’s emergency response consisted of pausing deposits and withdrawals and coordinating with safety corporations and exchanges.
The protocol shared the small print of the incident in a while, claiming it was a “a extremely subtle operation that seems to have concerned multi-week preparation and staged execution”. Past that, the alternate’s official channels shunned attributing obligations.
Earlier at present, a malicious actor gained unauthorized entry to Drift Protocol via a novel assault involving sturdy nonces, leading to a speedy takeover of Drift’s Safety Council administrative powers.
This was a extremely subtle operation that seems to have concerned…
— Drift (@DriftProtocol) April 2, 2026
Now, the analytics agency Elliptic has launched an investigation claiming the on‑chain conduct, laundering strategies, and community‑stage indicators match the strategies seen in prior DPRK‑linked operations, making this not simply one other DeFi rug, however a suspected state‑sponsored assault.
The North Korean Hackers Strike Once more
Ledger CTO Charles Guillement additionally linked Drift’s assault methodology to Bybit’s $1.4 billion hack, which was attributed to North Korean hacking teams. NewsBTC’s sister web site Bitcoinist reported on this yesterday.
Drift Protocol, one of many main perpetual DEXs on Solana, has been hacked for roughly $213M. This makes it the largest hack of 2026 to date, and one of many largest ever on the Solana blockchain, proper behind the Wormhole Bridge exploit of 2022.
The total particulars of the…
— Charles Guillemet (@P3b7_) April 2, 2026
Based on Elliptic, the attacker possible compromised Drift’s administrator personal keys, gaining privileged management over withdrawals and key parameters. The assault systematically drained three essential vaults: JLP Delta Impartial, SOL Tremendous Staking and BTC Tremendous Staking, together with a single $41.7 million JLP switch value about $155 million.
Elliptic traced the stolen funds and concluded that the attacker created the pockets roughly eight days earlier than the exploit and even acquired a small check switch from a Drift vault. This means a pre‑deliberate, staged operation moderately than a smash‑and‑seize.
Elliptic Investigator’s graphic exhibiting the movement of funds from the preliminary exploit on Solana via to the attacker’s present holdings on Ethereum. Supply: Elliptic.
After the exploit was accomplished, the attacker used Jupiter, a Solana DEX aggregator, to swap the stolen tokens into USDC, bridged funds to Ethereum, after which rotated into ETH and different belongings throughout a number of wallets.
Such cross‑chain laundering patterns, obfuscation strategies, and community‑stage indicators match strategies seen in prior DPRK‑attributed assaults, Elliptic claims. If formally confirmed, this could be the 18th such operation with over $300 million stolen already.
Confirmed or not, there isn’t any denying that state‑linked actors are systematically concentrating on liquidity‑wealthy crypto protocols to fund North Korea’s weapons packages. Let’s not neglect that the North Korea‑affiliated Lazarus Group has funneled billions of {dollars} in stolen cash via cryptocurrency networks.
Elliptic has already clustered all attacker‑linked token accounts on Solana and Ethereum so exchanges and protocols can display screen towards contaminated funds in close to actual time.
The hack will possible harden scrutiny of Solana DeFi governance, admin key design, and multisig safety, even because the ecosystem continues to chase institutional‑grade perps liquidity.
For the time being of writing, SOL trades for $80 on the day by day chart. Supply: SOLUSD on Tradingview.
Cowl picture from Perplexity. SOLUSD chart from Tradingview.
Editorial Course of for bitcoinist is centered on delivering completely researched, correct, and unbiased content material. We uphold strict sourcing requirements, and every web page undergoes diligent assessment by our staff of prime know-how consultants and seasoned editors. This course of ensures the integrity, relevance, and worth of our content material for our readers.
