Solana-based decentralized perpetual futures exchange Drift Protocol suffered a major exploit on April 1, 2026, with nearly $286 million drained from its liquidity vaults. The attack shows strong technical indicators matching previous North Korean state-sponsored operations. The sophisticated breach involved unauthorized access to administrative controls and rapid fund movement across chains, making it one of the largest DeFi incidents reported this year.
Strong North Korean Connection
Elliptic’s detailed analysis reveals that the on-chain behavior, laundering patterns, and network signatures in this exploit closely match those observed in previous DPRK-attributed operations. The firm has classified the incident as suspected to be linked to North Korean actors. If confirmed, this would represent the 18th DPRK-linked crypto theft tracked in 2026 so far. North Korean groups have already stolen over $300 million this year through similar attacks, forming part of a sustained campaign that has generated more than $6.5 billion in recent years to fund the regime’s weapons and nuclear programs while evading international sanctions.
How the Hack Was Executed
Attackers compromised Drift Protocol’s administrator private keys and drained liquidity from key vaults, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. The malicious wallet was created eight days prior and tested with a small transfer from a Drift vault. Within roughly one hour, they extracted around 41.7 million JLP tokens worth $155 million along with large quantities of USDC, SOL, wrapped BTC variants, and liquid staking tokens. The stolen funds were swiftly swapped via a Solana DEX aggregator, bridged to Ethereum, and converted primarily into ETH. Drift immediately suspended deposits and withdrawals and is working with security partners to trace the assets.
