Blockchain analytics firm Elliptic reported on Thursday that the $285 million exploit of Drift Protocol, the largest crypto hack of 2026 so far, carries "multiple indicators" of involvement by North Korea's state-sponsored DPRK hacker group. The research firm pointed to on-chain behavior, laundering methodologies, and network-level signals aligning with previous state-linked attacks.
Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, saw its native token plummet over 40% to roughly $0.06 following the breach. Elliptic's report stated, "If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far." It emphasized this is a continuation of North Korea's "sustained campaign of large-scale cryptoasset theft, which the U.S. government has linked to the funding of its weapons programs." DPRK-linked actors are believed responsible for billions in crypto theft in recent years.
The attack, which drained at least $270 million, was executed not through a traditional code vulnerability but by exploiting a legitimate Solana feature called 'durable nonces.' This feature allows transactions to remain valid indefinitely by replacing expiring blockhashes with a fixed code. Attackers used this to trick Drift's Security Council multisig into pre-approving transactions that were executed over a week later.
The attack timeline began on March 23 with the creation of four durable nonce accounts, two linked to legitimate council members and two controlled by the attacker, indicating they had already obtained two of the required five signatures. After a council member migration on March 27, the attacker adapted, securing approval under the new configuration by March 30. The execution on April 1 took less than a minute: following a legitimate test withdrawal, the attacker submitted the pre-signed transactions, gained full protocol control, and drained the vaults.
On-chain researchers tracked the stolen assets, which totaled roughly $270 million across dozens of tokens. The largest haul was $155.6 million in JPL tokens, followed by $60.4 million in USDC, $11.3 million in CBBTC (Coinbase wrapped bitcoin), $5.65 million in USDT, and significant amounts in wrapped ether, WBTC, DSOL, and others including JUP, JITOSOL, and FARTCOIN.
The laundering process was rapid and cross-chain. Funds were moved from Solana to intermediary wallets, then to Ethereum via the Wormhole bridge. Prominent investigator ZachXBT noted over $230 million in USDC was bridged to Ethereum using Circle's CCTP across more than 100 transactions, criticizing Circle for not freezing the funds during a six-hour window post-attack. The Ethereum addresses had been pre-funded using the sanctioned privacy mixer Tornado Cash.
Elliptic's analysis highlighted the challenge of tracing on Solana due to its account model, where a single actor's activity can appear fragmented across multiple token accounts. The firm emphasized the need for "holistic cross-chain tracing capabilities" as laundering becomes inherently cross-chain.
This incident underscores a shift in DeFi exploits: the third major recent breach not involving a code bug but rather social engineering and operational security failures. Drift has frozen the protocol, removed the compromised wallet from the multisig, and is safeguarding insurance fund assets. A detailed postmortem is forthcoming to explain how two multisig members approved transactions they did not understand.
