Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, was exploited for about $286 million in a hack that blockchain analytics firm Elliptic said bore multiple indicators of a possible North Korean link. 

In analysis published Thursday, Elliptic said the April 1 attack drained most of Drift’s liquidity within an hour, with the attacker withdrawing assets from multiple protocol vaults in what appears to have been a compromise of administrator private keys. The firm cited preliminary findings from blockchain security company PeckShield saying the stolen assets included roughly 41.7 million JLP tokens, worth about $155 million at the time, along with USDC, SOL, cbBTC, wBTC, and liquid staking tokens.

If confirmed, the incident would be the 18th suspected North Korea-linked crypto-theft tracked by Elliptic this year, with more than $300 million stolen so far, the firm said. Elliptic added that DPRK-linked actors are believed to have stolen more than $6.5 billion in cryptoassets in recent years, thefts that U.S. authorities have linked to funding the country’s weapons programs.

Elliptic said the on-chain activity, laundering methods, and network-level indicators tied to the Drift exploit were consistent with techniques seen in previous DPRK-attributed operations. 

According to the firm, the attacker’s wallet had been created about eight days before the exploit and received a small test transfer from a Drift vault during that period, suggesting the operation had been carefully prepared in advance.

After draining the vaults, the attacker used a Solana-based decentralized exchange aggregator to swap most of the stolen tokens into USDC before bridging the funds to Ethereum and converting them into ETH, Elliptic said.

The attack is believed to be the largest decentralized finance hack of 2026 to date and the second-largest security incident in the Solana ecosystem after the $326 million Wormhole bridge exploit in 2022, according to Elliptic.

Read the Elliptic analysis here