TL;DR

  • Drift Protocol — the largest decentralized futures exchange on Solana — was drained of an estimated $285 million on April 1, 2026
  • The attack took approximately 12 minutes and was made possible through compromised administrator keys and social engineering
  • Blockchain analytics firms Elliptic and TRM Labs have both flagged the attack as bearing hallmarks of North Korean state-sponsored hackers
  • Drift's total value locked (TVL) fell by nearly 50 percent, and the DRIFT token plummeted over 20 percent in the aftermath

Vaults Emptied in Record Time

On the night of April 1, 2026, Drift Protocol — the largest decentralized exchange for perpetual futures on the Solana network — was subjected to one of the most destructive DeFi attacks so far this year. According to Unchained, the funds, which included JLP-tokens, USDC, WETH, and WBTC, were withdrawn in approximately twelve minutes. Elliptic estimated the total loss at $286 million.

Stolen funds were bridged from Solana to Ethereum within a few hours — a classic method to complicate tracing efforts.

The vaults were emptied in 12 minutes — and the money was leaving Solana before most people reacted
North Korean Hackers Suspected Behind $285 Million DeFi Heist in 12 Minutes

Not a Code Weakness — But in the Keys

Affected parties and security researchers emphasize that the attack did not exploit a flaw in the smart contract itself. According to research notes from Elliptic and TRM Labs, this was a highly sophisticated operation where attackers gained control via a compromised administrator key, combined with social engineering and failures in operational security.

More specifically, the attackers are said to have exploited so-called «durable nonces» to achieve administrative control, listed a new market, and raised withdrawal limits — all while the protocol's own defense systems did not alert in time.

This is reminiscent of the methodology behind a number of other North Korea-linked attacks, where access via insiders or social engineering has been crucial — not classic code exploitation.

North Korean Hackers Suspected Behind $285 Million DeFi Heist in 12 Minutes

Elliptic and TRM Labs Point to Pyongyang

Neither Elliptic nor TRM Labs have publicly released full technical attribution reports at this time, and it is important to emphasize that the suspicion is currently based on pattern matching — not legally proven identification. Nevertheless, both firms' assessments are that the attack bears characteristics typical of North Korean state-sponsored actors.

This fits into a larger pattern. According to Chainalysis, North Korean hacker groups stole more than two billion dollars in cryptocurrency in 2025 alone — a new record that accounted for approximately 60 percent of all stolen funds in the sector. The February 2025 attack on Bybit, where $1.5 billion disappeared, is still considered the largest single heist in crypto history.

$285M
Estimated stolen goods from Drift
~12 min
Time to empty the vaults
$2B+
North Korea's crypto theft in 2025

State-Sponsored Hackers with Industrialized Money Laundering

North Korean hacker groups — primarily the Lazarus Group, which operates under the country's intelligence agency Reconnaissance General Bureau — are, according to research material from Chainalysis and TRM Labs, specialists in rapid post-hack money laundering. After the Bybit attack, analysts observed that $160 million was channeled through illicit networks within two days.

Stolen funds are typically structured into smaller tranches under $500,000, sent through cross-chain bridges and mixing services, and finally laundered through Chinese shadow brokers who convert crypto to yuan or transferred directly to North Korean front companies.

Andrew Fierman, Head of National Security Intelligence at Chainalysis, has previously stated that North Korean actors «will always seek new vectors to steal funds on behalf of the regime,» and that the methods are «constantly evolving, highly sophisticated, and deeply entrenched across jurisdictions.»

Solana DeFi Under Pressure

The attack is the most serious so far in a series of security incidents that have affected Solana-based protocols. According to research data, Solana projects have lost over $450 million to exploits between 2021 and 2025. The Wormhole bridge was drained of $325 million in 2022, and Mango Markets lost $115 million the same year.

Anton Kharitonov from Traders Union points out that the Drift exploitation «has further weakened market confidence in Solana» — an observation that must be read in light of Solana's total TVL across DeFi approaching $8.6 billion by the end of 2024.

The Solana network itself has not been the primary target — it is the protocols and key management within the teams that have failed. But for users and investors, the distinction between network security and protocol security offers little comfort when funds are gone.

What Happens Next?

The Drift team has not released a full incident report as of April 4, 2026. Blockchain analytics firms are tracking the traceability of the stolen funds, but the history from previous North Korea-linked heists — including Bybit and Ronin — shows that such funds are rarely recoverable. US authorities have previously sanctioned the Lazarus Group and associated wallet addresses, but the effect on actual fund recovery has been limited.

For the DeFi sector as a whole, the incident highlights the question of whether protocols with centralized administrator keys truly live up to the promise of decentralized security.