Drift Protocol Shaken by Historic DeFi Attack
On Tuesday, April 1, 2026, the Solana-based Drift Protocol announced that its platform was under active attack. When the dust settled, three of the company's main vaults were almost completely emptied. According to Elliptic, the stolen funds totaled $286 million, making the incident the largest decentralized finance (DeFi) attack recorded so far in 2026, according to Bitcoinist.
Drift openly confirmed the attack and immediately shut down deposits and withdrawals. The protocol is now coordinating with a number of security firms, cross-chain bridges, and exchanges to limit the extent of the damage.
How the Vaults Were Emptied
The attack was anything but impulsive. According to Elliptic, the attacker's wallet was created a full eight days before the actual heist, receiving a small test transaction from a Drift vault in the interim — a classic hallmark of a carefully planned operation.
The three vaults most severely affected were JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. The largest single transfer alone — approximately 41.7 million JLP tokens — had a value of about $155 million at the time of the transaction. In addition, USDC, SOL, cbBTC, wBTC, and various liquid staking tokens were stolen.
A central part of the attack involved taking control of Drift's security council's administrative rights. This reportedly occurred through advanced social engineering combined with pre-signed transactions. The attackers also fabricated a fictitious token called CarbonVote Token (CVT) and manipulated oracle data to artificially inflate CVT's collateral value — a technique that enabled further withdrawals.
Funds Quickly Laundered via Ethereum
After the vaults were emptied, the attacker swapped the stolen tokens for USDC via a Solana-based DEX aggregator. The funds were then bridged to the Ethereum network and further exchanged for ETH — a pattern analysts recognize from previous state-sponsored operations.
Elliptic and TRM Labs Point to Pyongyang
Elliptic concludes that "the on-chain behavior, money laundering techniques, and network indicators associated with the attack are consistent with methods seen in previous DPRK-attributed operations," according to Bitcoinist. TRM Labs highlights specific similarities with the Bybit exploit in 2025: the use of Tornado Cash, precise timing coinciding with North Korean office hours, aggressive cross-chain bridging, and identical money laundering patterns.
Drift Protocol itself described the incident as "an attack six months in the planning" and attributes it with a medium degree of certainty to the North Korean hacking group UNC4736 — also known by the aliases AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces.
It is important to emphasize that attribution of state-sponsored cyberattacks is never one hundred percent certain, and no public indictment or official governmental confirmation is known at the time of publication. Nevertheless, the convergence between two independent analysts is striking.
"On-chain behavior and money laundering techniques are consistent with methods observed in previous DPRK-attributed operations" — Elliptic
A Pattern That Continues to Escalate
If the attribution holds, this would be the 18th DPRK-linked crypto attack Elliptic has tracked this year alone. The total amount North Korean actors are believed to have stolen in 2026 thus surpasses $300 million — and over $6.5 billion over recent years. U.S. authorities have previously linked these types of heists directly to the financing of North Korea's weapons programs.
For users of DeFi protocols, the case underscores an uncomfortable reality: funds placed in decentralized vaults can, regardless of the user's intention, end up as financing for state intelligence and military development in one of the world's most closed regimes.
