North Korea-Linked Exploit Drains $28 Hackers Million

Drift Protocol, the largest decentralized perpetual futures exchange operating on the Solana blockchain, suffered a massive and well-orchestrated theft on April 1, 2026. This incident, suspected to be linked to North Korea, saw attackers drain $286 million from the platform, as detailed in a comprehensive analysis report [link to report].

Unknown attackers managed to drain $286 million in digital assets from the platform’s core liquidity vaults in less than an hour, causing widespread panic across the decentralized finance community.

The speed and scale of the incident strongly signaled that the operation had been planned and prepared well in advance.

The attack moved with striking speed and precision. Within the first hour, the attacker systematically emptied three of Drift’s primary vaults — the JLP Delta Neutral vault, the SOL Super Staking vault, and the BTC Super Staking vault.

The single largest transaction involved the transfer of approximately 41.7 million JLP tokens, valued at around $155 million at the time of the theft.

Additional assets taken included USDC, SOL, cbBTC, wBTC, and various liquid staking tokens. According to blockchain security firm PeckShield, the likely root cause was a compromise of the protocol’s administrator private keys, which gave the attacker privileged access to initiate withdrawals and alter administrative controls.

Elliptic analysts identified multiple on-chain indicators that strongly suggest the attack was carried out by actors linked to North Korea’s Democratic People’s Republic of Korea (DPRK).

The on-chain behavior, laundering methods, and network-level patterns seen during the Drift exploit closely match techniques used in prior DPRK-attributed operations.

If this connection is confirmed, it would mark the eighteenth DPRK-linked crypto theft that Elliptic has tracked in 2026 alone, with more than $300 million stolen in total so far this year.

DPRK-linked actors are believed to have taken over $6.5 billion in cryptoassets in recent years, with the United States government directly linking such theft to the funding of North Korea’s weapons programs.

Data from DefiLlama shows that Drift’s total value locked (TVL) fell sharply from around $550 million to below $250 million in the aftermath of the attack.

This makes it the largest DeFi hack of 2026 so far and the second-biggest security breach in the Solana ecosystem, exceeded only by the $326 million Wormhole bridge exploit in 2022.

The Drift team confirmed the incident publicly on X, describing it as an active attack, and immediately suspended all deposits and withdrawals while coordinating with multiple security firms, cross-chain bridge providers, and cryptocurrency exchanges to contain and address the damage.

The Drift exploit is not isolated. It is part of a broader and escalating campaign of DPRK-linked attacks targeting the cryptocurrency industry, which recently included a supply chain compromise of the Axios npm package — an incident that Google attributed to DPRK threat actor UNC1069.

Together, these incidents reflect a deliberate effort by North Korean operatives to target crypto infrastructure at scale.

How the Stolen Funds Were Moved

On-chain data reveals that the attacker’s wallet was set up approximately eight days before the exploit, and during that period it received a small test transfer originating from a Drift vault.

This detail strongly points to a premeditated and carefully staged operation, carried out with deliberate planning rather than an impulsive or opportunistic attack.

After emptying the vaults, the attacker used a Solana-based decentralized exchange aggregator to rapidly convert the stolen tokens into USDC.

From there, the funds were bridged over to the Ethereum blockchain, where they were swapped into ETH — a common laundering technique that complicates cross-chain tracing.

The attacker stole over 15 different token types spread across multiple vaults, meaning any incomplete on-chain analysis could easily miss large portions of the stolen funds.

Security researchers recommend that DeFi protocols protect administrator private keys using hardware security modules or multi-signature authorization schemes, conduct regular third-party security audits, deploy real-time on-chain anomaly detection systems, and maintain a fully tested incident response plan that enables fast coordination with exchanges, bridge operators, and security firms the moment a breach is detected.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.