Is Your Crypto Funding North Korea? $286M Solana Exploit Linked to DPRK Hackers

Is Your Crypto Funding Pyonyang? Inside Solana-Based Drift Protocol $286 Million Exploit

According to blockchain analysis company Elliptic, the recent $286 million hack of the Drift Protocol, which operates on the Solana blockchain, is probably connected to North Korea.

Solana Suffered One Of The Largest Crypto Exploits In History

As an analyst, I’ve been following the situation at Drift Protocol closely. On April 1st, they experienced a significant exploit that resulted in nearly $300 million in crypto assets being drained from their main vaults. The team immediately reported the ongoing incident on their official X account.

Drift Protocol is currently under attack, and we’ve temporarily paused all deposits and withdrawals to keep funds safe. We’re working with leading security experts, as well as bridges and exchanges, to resolve the situation. This is a real incident, not a prank. We’ll share more information here as it becomes available.

— Drift (@DriftProtocol) April 1, 2026

The attack lasted less than 20 minutes, and thieves stole around $286 million worth of cryptocurrency from nearly 20 different sources. Drift is a leading decentralized exchange built on Solana. This incident is the largest cryptocurrency theft of 2026, surpassing the $235 million stolen from WazirX and becoming one of the biggest crypto hacks ever.

After a recent attack, the value of assets held within Drift fell from around $550 million to less than $250 million. The team reacted by temporarily stopping all deposits and withdrawals and working with cybersecurity experts and cryptocurrency exchanges to address the situation.

After the incident, the team explained it was a complex operation that seemed to have been carefully planned and carried out over several weeks. However, they didn’t publicly blame anyone for what happened.

Earlier today, someone hacked Drift Protocol using a new type of attack that exploited how temporary security codes were handled. This allowed them to quickly gain control of the system’s administrative functions.

This was a highly sophisticated operation that appears to have involved…

— Drift (@DriftProtocol) April 2, 2026

Elliptic, a data analytics company, has published a report suggesting recent activity on the blockchain isn’t a typical DeFi scam. Their investigation shows the methods used to hide and move funds, as well as overall network patterns, are similar to those previously linked to North Korea, leading them to believe this could be a cyberattack carried out with state support.

The North Korean Hackers Strike Again

Ledger’s CTO, Charles Guillement, suggests the way Drift was attacked is similar to the method used in the $1.4 billion Bybit hack, which authorities believe was carried out by hackers linked to North Korea. Bitcoinist, a related news site, covered this story yesterday.

As an analyst tracking the DeFi space, I’m reporting a significant security breach at Drift Protocol, a major perpetual DEX built on Solana. The hack resulted in a loss of around $213 million. This is currently the largest exploit of 2026, and ranks as one of the biggest ever to hit the Solana blockchain, trailing only the Wormhole Bridge hack from 2022 in terms of financial impact.

The full details of the…

— Charles Guillemet (@P3b7_) April 2, 2026

Elliptic reports that the attacker probably gained access to the private keys used by Drift’s administrators. This gave them powerful control over withdrawals and important settings. The attacker then methodically emptied three main accounts: JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. This included one large transfer of JLP worth approximately $155 million (originally $41.7 million).

Elliptic discovered the attacker didn’t act impulsively. They tracked the stolen funds and found the wallet used in the attack was created about eight days beforehand, and even received a small test payment from a Drift account. This indicates the attack was carefully planned and prepared, not a spontaneous act.

Once the attack was successful, the hacker used Jupiter, a platform that finds the best exchange rates on Solana, to convert the stolen tokens into USDC. They then moved these funds to Ethereum and spread them across several wallets, exchanging them for ETH and other cryptocurrencies.

According to Elliptic, the way money is being moved across different blockchains, along with the methods used to hide its origins, are similar to those seen in past attacks linked to North Korea. If verified, this would be the 18th instance of such activity, with over $300 million already stolen.

Whether or not it’s officially confirmed, it’s clear that groups connected to North Korea are consistently targeting cryptocurrency platforms with large amounts of funds. These attacks are likely used to finance North Korea’s weapons development, and the Lazarus Group, linked to North Korea, has already moved billions of dollars in stolen funds through these networks.

Elliptic has identified and grouped together all known token accounts connected to attackers on both Solana and Ethereum. This allows exchanges and other platforms to quickly check for and block funds originating from these malicious sources.

As an analyst, I anticipate this hack will lead to much closer examination of how Solana-based DeFi projects handle governance, design their admin keys, and implement multisig security. This is happening at a time when the ecosystem is actively trying to attract more sophisticated, institutional-level trading of perpetual futures contracts, so the timing couldn’t be worse. We’ll likely see a push for more robust security measures before institutions feel comfortable entering the space.

Cover image from Perplexity. SOLUSD chart from Tradingview.

2026-04-03 15:42

Solana Suffered One Of The Largest Crypto Exploits In History

Read More