Hackers have stolen approximately $286 million from Drift Protocol, a leading decentralized perpetual futures exchange on the Solana blockchain, in what security researchers believe may be a North Korea-linked cyberattack.
The incident occurred on April 1, 2026, and is already being described as the largest decentralized finance (DeFi) hack of the year.
Drift Protocol quickly confirmed it was under an “active attack” and suspended deposits and withdrawals to limit further damage. The exploit caused a sharp drop in the platform’s total value locked (TVL), which fell from around $550 million to below $250 million within hours.
Blockchain analytics firm Elliptic identified multiple indicators connecting the attack to actors associated with the Democratic People’s Republic of Korea (DPRK), citing similarities in on-chain behavior, fund laundering techniques, and operational patterns.
Admin Key Compromise Suspected
Early analysis from blockchain security firm PeckShield suggests the breach was likely caused by a compromise of Drift Protocol’s administrator private keys.
This would have given the attacker elevated privileges, allowing them to withdraw funds directly from protocol vaults and potentially alter key system controls.
The attacker targeted three major vaults:
- JLP Delta Neutral vault.
- SOL Super Staking vault.
- BTC Super Staking vault.
One of the largest transactions involved the theft of 41.7 million JLP tokens, valued at roughly $155 million. Additional stolen assets included USDC, SOL, wrapped Bitcoin (wBTC), cbBTC, and various liquid staking tokens.
The attacker executed the exploit with high efficiency, draining most of Drift’s liquidity within an hour. On-chain data indicates the attacker had prepared in advance, creating a wallet about eight days before the attack and conducting a small test transaction from a Drift vault.
After the theft, the attacker used a Solana-based decentralized exchange (DEX) aggregator to swap multiple stolen assets into USDC.
These funds were then bridged to the Ethereum blockchain, where they were converted into ETH an approach commonly used to obscure transaction trails.
Elliptic noted that these laundering techniques closely resemble those used in previous DPRK-linked crypto heists.
Growing DPRK Crypto Theft
If confirmed, this would mark the eighteenth DPRK-linked crypto theft tracked in 2026 alone, with total losses exceeding $300 million this year.
North Korean threat actors are believed to have stolen more than $6.5 billion in cryptoassets over recent years, often using these funds to support state-sponsored programs.
This attack follows a broader surge in DPRK cyber activity targeting the crypto ecosystem, including supply chain compromises and attacks on open-source software projects.
The complexity of the attack is amplified by Solana’s architecture, where each asset is stored in separate token accounts.
This means stolen funds are distributed across multiple addresses, making detection and tracking more difficult without advanced analytics.
Elliptic stated that its clustering technology links related token accounts to provide a complete view of attacker activity across assets and blockchains.
The firm has flagged associated addresses to help exchanges and financial platforms block illicit transactions in real time.
Investigations are ongoing, with security teams continuing to monitor the movement of stolen funds across chains.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
