Is Your Crypto Funding Pyonyang? Inside Solana-Based Drift Protocol $286 Million Exploit

Blockchain analytics firm Elliptic says the $286 million exploit of Solana-based Drift Protocol is most likely linked to the Democratic People’s Republic of Korea (DPRK).

Solana Suffered One Of The Largest Crypto Exploits In History

On April 1st, the DEX Drift Protocol suffered a major exploit that drained almost $300 million dollars in crypto assets from its core vaults. The exchange reported on it on its official X account as it was still undergoing:

The raid unfolded in under 20 minutes, with roughly $286 million siphoned off across a basket of assets from close to 20 vaults. Drift is the largest decentralized perpetual futures exchange on Solana. This is the biggest crypto exploit seen so far in 2026 and ranks among the largest on record, edging out the $235 million WazirX breach.

Drift’s total value lock (TVL) collapsed from roughly $550 million to under $250 million after the attack. The team’s emergency response consisted of pausing deposits and withdrawals and coordinating with security firms and exchanges.

The protocol shared the details of the incident later on, claiming it was a “a highly sophisticated operation that appears to have involved multi-week preparation and staged execution”. Beyond that, the exchange’s official channels refrained from attributing responsibilities.

Now, the analytics firm Elliptic has released an investigation claiming the on‑chain behavior, laundering methods, and network‑level indicators match the techniques seen in prior DPRK‑linked operations, making this not just another DeFi rug, but a suspected state‑sponsored attack.

Ledger CTO Charles Guillement also linked Drift’s attack method to Bybit’s $1.4 billion hack, which was attributed to North Korean hacking groups. NewsBTC’s sister website Bitcoinist reported on this yesterday.

According to Elliptic, the attacker likely compromised Drift’s administrator private keys, gaining privileged control over withdrawals and key parameters. The attack systematically drained three main vaults: JLP Delta Neutral, SOL Super Staking and BTC Super Staking, including a single $41.7 million JLP transfer worth about $155 million.

Elliptic traced the stolen funds and concluded that the attacker created the wallet roughly eight days before the exploit and even received a small test transfer from a Drift vault. This suggests a pre‑planned, staged operation rather than a smash‑and‑grab.

After the exploit was completed, the attacker used Jupiter, a Solana DEX aggregator, to swap the stolen tokens into USDC, bridged funds to Ethereum, and then rotated into ETH and other assets across multiple wallets.

Such cross‑chain laundering patterns, obfuscation methods, and network‑level indicators match techniques seen in prior DPRK‑attributed attacks, Elliptic claims. If officially confirmed, this would be the 18th such operation with over $300 million stolen already.

Confirmed or not, there is no denying that state‑linked actors are systematically targeting liquidity‑rich crypto protocols to fund North Korea’s weapons programs. Let’s not forget that the North Korea‑affiliated Lazarus Group has funneled billions of dollars in stolen money through cryptocurrency networks.

Elliptic has already clustered all attacker‑linked token accounts on Solana and Ethereum so exchanges and protocols can screen against contaminated funds in near real time.

The hack will likely harden scrutiny of Solana DeFi governance, admin key design, and multisig security, even as the ecosystem continues to chase institutional‑grade perps liquidity.

Cover image from Perplexity. SOLUSD chart from Tradingview.