The largest De-Fi hack of 2026, the Solana ecosystem is currently struggling with the $286 million Drift protocol exploit, as mentioned by Ecliptic, a hack that security experts have now linked to suspects from the Democratic People’s Republic of Korea (DPRK) hackers.
Suspected North Korea link
This suspicion is based on on-chain behavior, laundering patterns, and cross-chain movements consistent with previous DPRK-attributed operations.
This exploit stands as the second-largest in the history of the Solana network, coming in behind the 2022 Wormhole exploit.
On-chain investigators at Elliptic and TRM Labs noted that the methods used by high-speed laundering, cross-chain bridging, and specific deployment timings perfectly match the profile of a previous state-led exploit.
Part of a bigger cyber campaign
If these findings are confirmed, it would mark the 18th DPRK-led exploit this year, making a total of $6.5 billion in crypto assets stolen by North Korean hackers to fund weapons programs in recent years. This exploit is just one piece of a larger trend: North Korean cyber units are increasingly focusing on the cryptocurrency world.
The hack was executed in a premeditated technical precision, leading to a main drainage phase that lasted a mere ten seconds, taking over $286 million. Instead of exploiting a smart contract bug, the attackers used social engineering to gain administrative access.
How the attack was set up
A wallet was created eight days before the event, made a test transfer, and then remained dormant. The attackers eventually gained control of a critical 2/5 multisig admin key through a carryover signer.
Once administrative access was secured, the hackers weaponized the protocol from within. They created a fake collateral market for a worthless asset known as the CarbonVote Token (CVT), which had been minted twenty days prior.
By manipulating oracle pricing, they inflated the value of this junk token to hundreds of millions of dollars while simultaneously disabling the protocol’s circuit breakers by raising withdrawal limits to 500 trillion.
With the security compromised, the attackers deposited 500 million of the worthless CVT tokens and used them as collateral to drain five major vaults, including SOL and BTC Super Staking pools. The single largest transfer in the attack is approximately 41.7 million JLP tokens valued at around $155 million, causing Drift’s Total Value Locked (TVL) to go from $550 million to $250 million in a matter of 10 seconds.
The impact of the exploit is not just within the Drift protocol; it affected over twenty-five different protocols in the Solana ecosystem. These projects are interconnected with Drift, which uses Drift’s vaults as yield-generating layers for its own products.
Prime Numbers Fi suffered the most, losing more than $10 million. Gauntlet, Neutral Trade, and Elemental DeFi also took a substantial hit, with millions in user funds impacted across those projects too.
The ripple effect forced several platforms to pause deposits, withdrawals, and minting to reduce more damage.
DRIFT token takes a hit
At the same time, the DRIFT token dropped over 40% after the incident. After successful tracking of the lost funds, the Drift protocol found 4 wallet addresses on Ethereum. As a final attempt to recover the stolen assets, Drift Protocol has started a series of on-chain messages using Blockscan to the four Ethereum wallets holding the laundered funds.
Drift reaches out to the hacker
These messages were sent and shared through Drift’s official X handle, explicitly stating “We are ready to speak” and inviting the hackers to discuss a potential settlement. While this is a standard industry practice aimed at negotiating a partial return of funds in exchange for a white hat bounty, the suspected involvement of the DPRK makes a successful recovery significantly more difficult.
Drift continues to coordinate with global law enforcement and security firms to track the 57,331 addresses currently involved in the massive laundering operation, which saw funds scattered across multiple chains at a rate of roughly 590 transactions per minute.
