Blockchain Analytics Firm Elliptic Attributes $286M Drift Hack to North Korean State-Sponsored Group
Key Takeaways
- Drift Protocol on Solana suffered a $285 million exploit, the largest DeFi hack of 2026.
- Elliptic attributes the attack to North Korea's state-sponsored hackers due to on-chain laundering patterns.
- Attack used Solana durable nonces to drain funds via pre-signed transfers weeks earlier.
Drift Protocol Exploit
Elliptic attributed the $285 million Drift exploit to multiple hallmarks of North Korean state-sponsored hackers.
“North Koreans hackers likely behind $286 million Drift Protocol exploit: Elliptic The blockchain analytics firm pointed to cross-chain laundering patterns and Solana-specific tracing challenges that mirror prior North Korean state-linked operations”
The hack drained most of Drift's liquidity within an hour, reducing total value locked from about $550 million to below $250 million.
Drift confirmed a novel attack involving durable nonces, a legitimate Solana feature that allowed pre-signed transfers weeks before execution.
The exploit did not involve a code bug or stolen keys but hinged on social engineering.
Attack Vector and Technical Details
Durable nonces were exploited to pre-sign transactions that remained valid for more than a week.
The attacker introduced a fake digital asset, seeded it with $500, and wash-traded it to fool price oracles.
The attack executed 31 transactions over roughly 12 minutes, draining real assets.
Elliptic noted pre-positioned wallets and structured laundering flow mirrored previous Lazarus Group operations.
State-Level Threat and Wider Implications
This would mark the eighteenth DPRK act Elliptic tracked in 2026.
“Blockchain analytics firm Elliptic on Thursday flagged “multiple indicators” that North Korea’s state-sponsored hackers may be behind the $285 million exploit of Drift Protocol, the largest DeFi hack of 2026 so far that wiped out more than half of the Solana-based exchange’s total value locked”
North Korean hackers stole a record $2 billion in 2025, including the $1.4 billion Bybit breach.
The U.S. Treasury has linked stolen crypto assets to Pyongyang's weapons programs.
Drift's token dropped over 40% following the hack.
Drift's Response and Future Challenges
Drift said the incident was not a bug and no seed phrases were compromised.
The attack was enabled by pre-signed transactions and compromise of the approvals process.
Drift is coordinating with security firms, bridges, exchanges, and law enforcement.
The exploit shows how social engineering is becoming a leading threat vector in DeFi.
More on Crypto
Metaplanet Acquires 5,075 BTC, Becomes Third Largest Corporate Bitcoin Holder
12 sources compared
OpenEden Launches HYBOND Token Backed by BNY's High-Yield Bond Strategy
10 sources compared
CFTC Settles With Former FTX Engineer Singh for $3.7M and Multiple Bans
10 sources compared
Coinbase Wins Conditional OCC Approval for National Trust Charter
26 sources compared