#How Did the Drift Protocol Exploit Unfold?
The recent incident involving Drift Protocol raises serious concerns about security in the crypto space. Elliptic reported that the exploit exhibits signs indicating a possible connection to North Korean hackers, adding a significant layer to what has become one of the year's most notable crypto thefts.
On April 1, Drift Protocol alerted its users regarding suspicious activities and advised against depositing funds. As investigations progressed, the Solana-based platform confirmed it was under active attack, leading to a temporary suspension of deposits and withdrawals. Meanwhile, reports surfaced indicating that the hacker exchanged the stolen assets for ETH valued at approximately $264 million.
Elliptic assessed the total losses from this exploit at around $286 million, highlighting that most of Drift's liquidity was drained within just one hour. Preliminary analyses suggest that the hacker gained access through compromised private keys belonging to administrators, enabling fund withdrawals and alterations to administrative controls.
#What Assets Were Taken in the Hack?
During the attack, specific vaults were targeted, including Drift's JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. The hacker notably transferred approximately 41.7 million JLP tokens, equating to around $155 million, alongside various other assets, which included USDC, SOL, cbBTC, wBTC, and liquid staking tokens. In the aftermath, Drift's total value locked plummeted from about $550 million to below $250 million, marking this incident as the largest DeFi hack of 2026 and the second largest exploit within the Solana ecosystem, right after the Wormhole incident in 2022.
#What Evidence Links the Hack to North Korea?
Elliptic's investigation revealed that the attacker's wallet had been created just eight days prior to the incident, receiving a minor test transfer from a Drift vault, signaling a potentially premeditated operation. Following the theft, the hacker utilized Jupiter to convert assets into USDC and bridged the funds to Ethereum. By approximately 6 p.m. UTC, the attacker was reported to hold over 38,000 ETH, worth around $82 million, with portions of the haul funneled into both decentralized and centralized exchanges.
If further confirmed, experts believe this incident would mark the eighteenth hacking operation attributed to North Korean actors this year alone, collectively amounting to over $300 million in stolen crypto. Overall, DPRK-linked cybercriminals are estimated to have acquired more than $6.5 billion in cryptocurrencies in recent years, a troubling statistic that the U.S. government has directly associated with funding North Korea's weapons programs.