Headline: Elliptic points to North Korea after $286M Drain Hits Solana DEX Drift Protocol
On April 1, Drift Protocol — the largest decentralized perpetual futures exchange on Solana — was hit by a fast, highly destructive exploit that siphoned roughly $286 million in under 20 minutes from close to 20 vaults. The team immediately paused deposits and withdrawals and said it was coordinating with security firms, bridges and exchanges to contain the incident.
What happened
- The attack unfolded quickly on April 1; Drift announced the active attack on its official X account while the exploit was still in progress.
- Roughly $286 million was taken from multiple vaults, sending Drift’s total value locked (TVL) tumbling from about $550 million to under $250 million.
- Drift later described the breach as “a highly sophisticated operation that appears to have involved multi‑week preparation and staged execution,” and said the attacker gained rapid control of the protocol’s administrative powers.
Elliptic’s findings: suspected DPRK link
Blockchain analytics firm Elliptic has published an investigation concluding the on‑chain behavior, laundering steps and network‑level signals resemble techniques used in prior DPRK‑linked operations. Key points from Elliptic’s analysis:
- The attacker appears to have compromised Drift’s administrator private keys — effectively seizing privileged controls and draining key vaults.
- Elliptic says three primary vaults were systematically emptied: JLP Delta Neutral, SOL Super Staking and BTC Super Staking. The firm highlights a single large JLP transfer (41.7 million JLP tokens) valued at about $155 million.
- The attacker created a wallet roughly eight days before the exploit and used it to receive a small test transfer from a Drift vault, suggesting the hack was staged and pre‑planned rather than opportunistic.
- After exiting the vaults, the thief used Jupiter (a Solana DEX aggregator) to swap tokens into USDC, bridged funds to Ethereum, and rotated assets across multiple wallets — a cross‑chain laundering pattern Elliptic says tracks with prior DPRK‑attributed thefts.
Broader context and reactions
- If confirmed, Elliptic’s attribution would add this event to a string of high‑profile, state‑linked crypto thefts attributed to North Korean actors, who have previously been tied to billions in stolen funds used to evade sanctions and finance prohibited programs.
- Ledger CTO Charles Guillemet also noted similarities between Drift’s attack method and the techniques used in the $1.4 billion Bybit exploit that was attributed to North Korean groups.
- Elliptic has already clustered attacker‑linked token accounts on Solana and Ethereum and is sharing these with exchanges and protocols to help screen and freeze contaminated funds in near real time.
Implications for Solana DeFi
This breach is the largest public exploit of 2026 so far and one of the biggest on record, edging past several major incidents in recent years. It’s likely to intensify scrutiny on:
- Governance models and admin key security for DeFi protocols,
- The use and protection of multisigs and security councils,
- Cross‑chain bridge and aggregator risk management, and
- KYC/screening processes at centralized venues dealing with potentially tainted assets.
What to watch next
- Drift’s ongoing incident updates and forensic disclosures,
- Any exchange or bridge actions to freeze or block the clustered attacker wallets,
- Further attribution or confirmation from other analytics firms and law enforcement, and
- Whether additional funds linked to the exploit are moved or laundered across new paths.
Drift continues coordinating with partners and security teams as investigations proceed. Elliptic’s clusters are available for exchanges and custodians to help mitigate the risk of contaminated funds spreading through the ecosystem.
Read more AI-generated news on: undefined/news
