Blockchain analytics firm Elliptic has identified multiple indicators connecting the Drift Protocol attack to North Korean state actors, marking the eighteenth DPRK-linked crypto theft tracked in 2026 alone. The April 1 incident saw approximately $286 million stolen from the leading Solana-based perpetual futures exchange.
The exploit caused Drift's total value locked to plummet from $550 million to below $250 million within hours. Early analysis suggests the breach resulted from a compromise of administrator private keys, giving attackers elevated privileges to withdraw funds directly from protocol vaults and alter system controls.
This attack follows a broader surge in North Korean cyber activity targeting the crypto ecosystem. North Korean threat actors are believed to have stolen over $6.5 billion in crypto assets in recent years, often using these funds to support state-sponsored programs. The complexity of tracking stolen funds on Solana's architecture, where assets are stored in separate token accounts across multiple addresses, presents additional challenges for recovery efforts.
