Drift Protocol Exploit Linked to Suspected North Korean Hackers

Elliptic, a blockchain analytics firm, said the recent $286 million exploit of Drift Protocol shows signs of involvement by suspected North Korean hackers.

The attack occurred on April 1, when unusual activity was detected on the Solana-based trading platform. Drift temporarily suspended deposits and withdrawals and began working with security partners.

Elliptic’s report noted that the methods used-such as fund laundering and onchain behaviors-match past operations attributed to North Korean state-backed groups. Analysts believe compromised admin keys gave attackers access to key protocol vaults.

Stolen assets included JLP, SOL, USDC, cbBTC, and wBTC. The largest single transfer involved 41.7 million JLP tokens valued at approximately $155 million.

Post-exploit, the attacker swapped funds via Jupiter, bridged them to Ethereum, and accumulated over 38,000 ETH (~$82 million). Elliptic said this could be the 18th confirmed North Korean cyber operation in 2026, totaling over $300 million in stolen digital assets.

North Korea-linked hacking groups have reportedly stolen more than $6.5 billion in cryptocurrency since 2020 to fund weapons development.