- Elliptic attributes the $286 million exploit of Drift Protocol to actors linked to North Korea (DPRK), marking the 18th such incident in 2026.
- The attack, the largest DeFi hack of the year, drained three core vaults after the protocol’s administrator keys were compromised.
- Stolen funds were rapidly swapped to USDC on Solana, then bridged to Ethereum, with techniques consistent with previous DPRK operations.
Elliptic has identified multiple indicators linking the April 1, 2026, exploit of Drift Protocol – the largest perpetual futures exchange on Solana – to the Democratic People’s Republic of Korea (DPRK). The security firm calculated the theft at $286 million, based on the assets drained from multiple protocol vaults.
Consequently, this would be the eighteenth DPRK-attributed crypto theft this year, bringing the total stolen to over $300 million. These sustained campaigns are linked by the U.S. government to funding North Korea’s weapons programs.
Meanwhile, blockchain security firm PeckShield reported the preliminary cause was a compromise of the protocol’s administrator private keys. The attacker targeted the JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults, with the largest single transfer involving 41.7 million JLP tokens.
According to DefiLlama, the exploit caused Drift Protocol‘s total value locked to collapse from $550 million to under $250 million. This makes it the second-largest security incident in Solana’s history, following the 2022 Wormhole bridge exploit.
The Drift team confirmed the attack on X, stating deposits and withdrawals were suspended. They are coordinating with security firms, bridges, and exchanges to contain the incident.
On-chain behavior shows the attacker’s wallet was created eight days prior and received a small test transfer, indicating a premeditated operation. After the theft, most stolen assets were swapped to USDC using a Solana DEX aggregator before being bridged to Ethereum.
This incident occurs amid broader DPRK-linked activity, including a recent supply chain compromise of the Axios npm package attributed by Google to threat actor UNC1069.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
