02.04.2026 20:58

According to internet sources, a major security breach at the Drift Protocol has been attributed to state-sponsored hackers from North Korea by blockchain analytics firm Elliptic. This new assessment transforms the incident into more than just a significant financial crime; it is now framed as a sophisticated operation bearing the hallmarks of the Democratic People's Republic of Korea (DPRK) cyber-activity pattern.

The firm's detailed analysis points to a convergence of evidence: distinct on-chain transaction trails, a complex series of laundering steps, and network-level fingerprints that mirror previous attacks linked to the North Korean Lazarus Group. This multi-faceted fingerprint suggests a highly coordinated strike rather than a random opportunistic theft.

The crisis began to unfold publicly on April 1, when Drift, a leading Solana-based decentralized perpetuals exchange, first alerted its community to "unusual activity" and immediately advised users to halt fund deposits. This warning preceded a formal confirmation of an active, ongoing attack, prompting the platform to suspend all deposits and withdrawals as it mobilized a crisis response involving security contractors, cross-chain bridges, and centralized exchanges to trace and freeze assets.

Preliminary forensic work, cited by Elliptic and including insights from PeckShield, indicates the attacker likely compromised critical administrator private keys. This breach of privileged access allowed the hacker to systematically drain vaults and reconfigure administrative settings, facilitating the rapid exfiltration of assets.

Within a mere hour, the exploiter siphoned off the vast majority of Drift's liquidity. The most substantial single transfer moved approximately 41.7 million JLP tokens, valued at around $155 million at the time. The stolen portfolio was diverse, encompassing not only JLP but also major assets like USDC, SOL, cbBTC, wBTC, and various liquid staking tokens. Subsequent tracking, reported by other analysts, revealed the attacker converted a significant portion of the haul, purchasing roughly $264 million worth of ETH with the stolen funds. Elliptic placed the total value of the stolen assets at $286 million at the time of its report.

The attack's scale is staggering. Drift's total value locked (TVL) plummeted from approximately $550 million to under $250 million in the immediate aftermath. This single event now stands as the largest decentralized finance (DeFi) hack recorded in 2026 and represents the second-most damaging exploit within the Solana ecosystem, surpassed only by the 2022 Wormhole bridge compromise.

Further deepening the intrigue, Elliptic noted that the attacker's primary wallet was created only about eight days prior to the exploit, a timeline consistent with the careful preparation often seen in advanced persistent threat campaigns. The combination of the massive financial loss, the specific technical modus operandi, and the now-attributed state sponsorship marks this as a watershed incident in the ongoing cyber conflict targeting the cryptocurrency sector.