Solana-based DEX Drift Protocol lost approximately $285 million in a suspected North Korea-linked exploit that used durable nonces to bypass multisig security, making it the largest DeFi hack of 2026.
Drift Protocol, the largest decentralized perpetual futures exchange on Solana, suffered a $285 million exploit on April 1, with blockchain analytics firm Elliptic linking the attack to North Korean state-sponsored hackers.
On April 1, an attacker drained approximately $285 million from Drift Protocol by exploiting a Solana-specific feature called durable nonces. The attacker pre-signed administrative transfer transactions weeks before executing them, bypassing Drift's multisig security in minutes to seize control of the Security Council's administrative powers.
The Drift team confirmed the exploit on X, describing it as an "active attack" and immediately suspended all deposits and withdrawals. According to DeFiLlama, Drift's total value locked collapsed from roughly $550 million to under $300 million following the incident.
DRIFT, the protocol's governance token, dropped approximately 40% within 24 hours of the exploit as traders rushed to exit positions.
This is the largest DeFi hack of 2026 and the second-largest security incident in Solana's history, behind only the $326 million Wormhole bridge exploit of 2022. The attack method is concerning because it turned a legitimate Solana feature, designed for transaction convenience, into an attack vector.
Blockchain intelligence firm Elliptic reported that the on-chain behavior and laundering methodologies are consistent with DPRK-attributed operations. TRM Labs echoed this assessment. If confirmed, this would be the eighteenth DPRK-linked crypto theft Elliptic has tracked in 2026, with combined losses exceeding $300 million.
The incident raises fresh questions about the security assumptions of multisig wallets on Solana, particularly when admin keys can be exploited through pre-signed transactions.
The Drift team said it is coordinating with multiple security firms, cross-chain bridges, and exchanges to contain the stolen funds. Recovery efforts are ongoing, but history shows that DPRK-linked groups typically move stolen assets through mixers and chain-hopping techniques quickly.
Traders should monitor whether Solana ecosystem TVL faces broader contagion. SOL itself has dropped roughly 4-5% since the exploit was confirmed, with DeFi protocols on the network seeing increased withdrawal activity.
This is a developing story. The Drift team continues to investigate the exploit and coordinate with law enforcement and blockchain security firms. Users who had funds on the platform should monitor official Drift channels for recovery updates.
BTC stages dramatic 11% recovery after nearly breaching $60K, while market sentiment remains at extreme fear levels.
Senator Boozman postpones Digital Asset Market Clarity Act from January 15 to final week of January to secure bipartisan support.
North Korean hackers drained Solana's biggest perps DEX using social engineering and pre-signed transactions, sparking recovery controversy.
Disclaimer: News content is for informational purposes only and should not be considered financial advice. Market conditions can change rapidly. Always conduct your own research.
