Blockchain intelligence firms TRM Labs and Elliptic say on-chain indicators tie the largest DeFi hack of 2026 to North Korea’s state-sponsored hacking groups.
Posted April 3, 2026 at 6:56 am EST.
Attackers drained approximately $285 million from Drift Protocol — the largest decentralized perpetual futures exchange on Solana — on April 1, emptying its vaults in roughly 12 minutes and bridging most stolen funds to Ethereum within hours. Blockchain analytics firms Elliptic and TRM Labs both flagged the attack as bearing “multiple indicators” of involvement by North Korea’s state-sponsored hacking apparatus.
The attack did not begin April 1. Between March 23 and 30, the attacker obtained 2/5 multisig approvals from Drift’s Security Council members, pre-signing malicious transactions that sat dormant until execution day. The attacker also manufactured a fictitious token called CarbonVote, seeded with minimal liquidity and fake trading volume, and manipulated Drift’s oracles into treating it as legitimate collateral — giving themselves hundreds of millions in phantom credit to drain the protocol’s real assets.
This story is an excerpt from the Unchained Daily newsletter.
Subscribe here to get these updates in your email for free
Omer Goldberg, founder and CEO of risk infrastructure firm Chaos Labs, told Unchained the operation stood apart from most DeFi exploits. “This wasn’t like a random person who stumbled upon the keys,” he said. “They studied the program, they were methodical and strategic in how they planned everything and executed it.” Goldberg said the North Korea fingerprint was visible in the tradecraft: like Bybit, it relied on deceptive key signing — but went a step further. “They didn’t just sit on a transfer transaction. They literally controlled the protocol in that moment.”
The hack wiped out more than half of Drift’s total value locked, which collapsed from approximately $550 million to under $250 million, and sent the DRIFT token down from above 7 cents to roughly 4 cents before a partial recovery. It is the second-largest exploit in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022. The attack also cascaded across more than 20 downstream protocols — including vaults, lending integrations, and yield products — that had built on Drift as a dependency.
If the DPRK attribution holds, this would be the eighteenth North Korea-linked crypto theft Elliptic has tracked in 2026, pushing the regime’s total haul for the year past $300 million. The U.S. government has previously linked stolen crypto proceeds to Pyongyang’s weapons programs.