Solana Exchange Drift Protocol Exploited for $286 Million in Second-Largest Ecosystem Hack on Record

Solana’s Drift Protocol loses $286 million in a major exploit linked to North Korean hackers. TVL dropped by $300M following a private key compromise.

By: AXL Media

Published: Apr 4, 2026, 6:19 AM EDT

Source: Information for this report was sourced from Elliptic

Solana Exchange Drift Protocol Exploited for $286 Million in Second-Largest Ecosystem Hack on Record - article image
Solana Exchange Drift Protocol Exploited for $286 Million in Second-Largest Ecosystem Hack on Record - article image

Private Key Compromise Triggers Liquidity Collapse

The decentralized finance (DeFi) sector faced its most severe challenge of 2026 as Drift Protocol's liquidity was systematically drained in a rapid, hour-long assault. Preliminary findings from security firm PeckShield suggest the breach originated from a compromise of the protocol’s administrator private keys, granting the attacker privileged access to internal vaults. This administrative override allowed for the unauthorized withdrawal of assets and the manipulation of protocol controls, leading to a near-instantaneous collapse of the platform's financial stability.

Systematic Draining of Core Delta Neutral and Staking Vaults

The attacker focused on three high-value targets within the Drift ecosystem: the JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. The most significant loss involved the removal of 41.7 million JLP tokens, valued at approximately $155 million. Beyond JLP, the exploiter seized a diverse array of assets, including USDC, SOL, and wrapped Bitcoin (wBTC), alongside various liquid staking tokens. According to data from DefiLlama, the exploit caused Drift’s Total Value Locked (TVL) to plummet from $550 million to less than $250 million, effectively erasing over half of the protocol's managed assets.

Indicators Point to Premeditated DPRK State-Sponsored Action

Elliptic’s intelligence team has identified multiple hallmarks of a DPRK-linked operation, noting that the attacker’s wallet was established eight days prior to the strike. On-chain evidence reveals a "test transfer" performed during this staging period, suggesting a highly disciplined and professional approach. If the attribution is confirmed, this would mark the eighteenth successful crypto-theft linked to the DPRK in 2026 alone. U.S. government officials have previously stated that such digital heists are a primary funding mechanism for the North Korean regime’s weapons programs, with total estimated thefts exceeding $6.5 billion in recent years.

Categories

Topics

Related Coverage