DRIFT Token Suffers $285M Hack, Sparks North Korea Speculation and DeFi Trust Crisis
Aime SummaryDrift Protocol, a Solana-based decentralized exchange, lost $285 million in a security breach exploiting vulnerabilities in admin keys and durable nonces.
Attackers drained liquidity pools and manipulated oracle values, moving stolen assets to USDC and bridging them to Ethereum within 12 minutes.
Blockchain analytics firms Elliptic and TRM Labs identified on-chain patterns consistent with North Korean threat actors, marking this as the 18th DPRK-linked incident in 2026.
Drift Protocol, a Solana-based decentralized exchange, suffered a $285 million exploit on April 1, 2026. Attackers exploited vulnerabilities in durable nonces and oracle manipulation to bypass administrative controls and drain assets from nearly 20 vaults.
The breach did not involve smart contract vulnerabilities but was executed through unauthorized transaction approvals and pre-signed transactions. Stolen assets included USDC, JLP, SOL, and wrapped bitcoin.
Following the incident, Drift suspended all deposits and withdrawals, leading to a 50% drop in Total Value Locked (TVL), from $550 million to under $250 million. The native DRIFT token fell by 26.8% to $0.05.
What Caused the Drift Protocol Hack?
The breach exploited durable nonces, a SolanaSOL-- feature that allows multisig signers to pre-sign transactions. Attackers induced signers to approve transactions without fully understanding the risks, effectively granting unauthorized access to admin keys.
Oracle manipulation was also a key factor in the attack, allowing the creation of a fictitious asset called CarbonVote Token to manipulate collateral values.
Stolen assets were rapidly drained in under 10 seconds, with attackers using cross-chain bridging and Tornado CashTORN-- to launder funds. This rapid execution highlights the speed and efficiency of modern DeFi hacks.
Why Is the Drift Hack Linked to North Korean Actors?
Elliptic and TRM Labs identified on-chain patterns consistent with North Korean hacking operations. Attackers focused on specific vaults, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking.
A minor test transaction from a Drift vault occurred eight days before the breach, suggesting premeditated planning. This aligns with past patterns of DPRK-linked operations.
DPRK-linked actors have stolen over $6.5 billion in crypto assets in recent years, with $2 billion attributed to 2025 alone, much of it from the Bybit breach.
The current breach would be the 18th DPRK-linked incident tracked by Elliptic in 2026, pushing losses beyond $300 million.
What Are the Implications for DeFi and Solana?
The Drift Protocol hack raises serious concerns about the security of DeFi platforms on Solana. The use of durable nonces and oracle manipulation demonstrates how infrastructure-level features can be exploited without smart contract vulnerabilities.
Experts warn that cross-chain infrastructure remains vulnerable to sophisticated attacks. Stolen assets were quickly moved to Ethereum, highlighting the ease of cross-chain asset movement.
The incident also deepens trust issues in Solana DeFi, with investors questioning the reliability of decentralized platforms. Drift proposed an IOU airdrop to rebuild the platform, but the plan faces criticism for lacking guarantees and trust.
Blending traditional trading wisdom with cutting-edge cryptocurrency insights.
Latest Articles
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
AInvest
PRO
AInvest
PRO
Comments
No comments yet