Blockchain analytics firm Elliptic has identified multiple indicators suggesting that North Korean hackers were likely behind the $286 million exploit of Solana-based decentralized exchange Drift Protocol, which forced the platform to suspend deposits and withdrawals on April 1, 2026.
What happened in the $286 million Drift Protocol exploit
Drift Protocol first flagged unusual activity on April 1, 2026, warning users not to deposit funds while the team investigated. Hours later, the protocol confirmed it was experiencing an active attack and that all deposits and withdrawals had been suspended as it coordinated with security firms, bridges, and exchanges.
Elliptic’s analysis, published on April 2, valued the total theft at $286 million and identified the three vaults targeted: the JLP Delta Neutral vault, the SOL Super Staking vault, and the BTC Super Staking vault.
The largest single transfer involved approximately 41.7 million JLP tokens worth roughly $155 million. The speed and precision of the vault drains suggest the attacker had mapped the protocol’s architecture before executing.
The exploit recalls a pattern seen in prior Drift-related wallet movements, though the scale of this incident dwarfs previous activity linked to the protocol.
Why Elliptic suspects DPRK-linked hackers may be behind the attack
Elliptic said it found multiple indicators linking the Drift exploit to actors associated with the Democratic People’s Republic of Korea. The firm noted that the attacker used cross-chain laundering patterns consistent with prior DPRK-linked operations.
This attribution remains Elliptic’s assessment, not a confirmed government finding. No public law-enforcement statement specifically tying the Drift exploit to North Korean state hackers had been issued as of April 2, 2026.
Elliptic framed the suspected DPRK connection against a broader sanctions backdrop. The U.S. government has previously tied DPRK-linked crypto theft to weapons-program funding, and a CoinDesk report noted a March 13, 2026 Treasury action targeting individuals and companies that laundered cryptocurrency for North Korea.
The distinction matters. While Elliptic’s track record on attribution is strong, the gap between a private firm’s forensic assessment and official government confirmation is significant. Readers should treat the DPRK link as a leading hypothesis supported by on-chain evidence, not established fact.
How the exploit hit Drift’s TVL and DRIFT token
The exploit’s immediate impact is visible in Drift’s total value locked. DeFiLlama data showed Drift’s Solana TVL at approximately $550.1 million on April 1, 2026 at 00:00 UTC. By April 2 at 14:02 UTC, that figure had fallen to roughly $239.6 million, a drop of about 56%.
The DRIFT token traded at $0.052131 with a 24-hour decline of 26.36%. Market capitalization fell to approximately $25.98 million while 24-hour trading volume surged to about $67.71 million, reflecting heavy sell pressure.
Broader market sentiment sits at 12 on the Fear and Greed Index, firmly in “Extreme Fear” territory. The growing frequency of large-scale DeFi exploits has pushed protocols toward stronger security frameworks, a trend visible in initiatives like Safe Foundation’s Safenet and the expansion of on-chain trading infrastructure with built-in risk controls.
These figures represent the immediate fallout, not necessarily the final damage. With deposits and withdrawals still suspended, the full scope of losses to individual users and liquidity providers remains unclear.
Drift Protocol has not yet announced a recovery plan or timeline for resuming normal operations. The protocol’s coordination with bridges and exchanges suggests efforts to freeze or trace the stolen funds are underway.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.