1 hour ago
11
Elliptic said the recent exploit of Drift Protocol bears multiple signs of a suspected North Korean operation, adding a new attribution angle to what had already emerged as one of the biggest crypto hacks of the year.
In a report published earlier today, the blockchain analytics firm said the onchain behavior, laundering methods, and network-level indicators tied to the attack are consistent with techniques seen in previous DPRK linked operations.
Drift said around midday on April 1 that it was investigating unusual activity and urged users not to deposit funds. The Solana-based perpetuals platform later confirmed it was facing an active attack and had suspended deposits and withdrawals while working with security firms, bridges, and exchanges to contain the incident. Earlier today, Lookonchain reported that the exploiter had bought around $264 million worth of ETH using the stolen funds.
Elliptic put the value of the stolen assets at $286 million at the time of writing and said the attacker drained most of Drift’s liquidity within an hour. The firm cited preliminary analysis from PeckShield pointing to a compromise of administrator private keys, which appears to have given the attacker privileged access to withdraw funds and change administrative controls.
According to Elliptic, the attacker targeted Drift’s JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. The largest transfer involved about 41.7 million JLP tokens worth roughly $155 million at the time, while other stolen assets included USDC, SOL, cbBTC, wBTC, and liquid staking tokens. The firm also said Drift’s total value locked fell from about $550 million to below $250 million after the attack, making it the largest DeFi hack of 2026 to date and the second largest Solana ecosystem exploit after Wormhole in 2022.
Elliptic said the attacker’s wallet had been created about eight days before the exploit and had received a small test transfer from a Drift vault, suggesting a staged operation. After the theft, the attacker used Jupiter to swap assets into USDC, bridged funds to Ethereum, and by around 6 p.m. UTC held more than 38,000 ETH worth roughly $82 million, while other portions of the haul moved to decentralized and centralized exchanges.
Elliptic said that, if confirmed, the incident would be the eighteenth DPRK-linked act it has tracked this year, with more than $300 million stolen so far. The firm added that DPRK-linked actors are believed to have stolen more than $6.5 billion in crypto in recent years, part of a broader campaign the US government has tied to funding North Korea’s weapons programs.
Disclosure: This article was edited by Estefano Gomez. For more information on how we create and review content, see our Editorial Policy.
English (US) ·