Blockchain analytics firm Elliptic has reportedly linked the April 1 exploit of Solana-based decentralized exchange Drift Protocol to a North Korean hacker group, though no directly published Elliptic statement confirming the attribution has surfaced as of April 2, 2026. The attack, which security firm PeckShield estimated at $285 million in losses, forced Drift to suspend all deposits and withdrawals while the protocol coordinated with security teams and exchanges to contain the fallout.
What Elliptic said about the Drift attack
According to unconfirmed reports from secondary sources, Elliptic, a London-based blockchain analytics company that tracks illicit crypto activity, has identified patterns in the Drift exploit consistent with North Korean state-sponsored hacking operations. The claim elevates the incident from a standard DeFi exploit to a potential geopolitical cybersecurity event.
However, no directly accessible Elliptic blog post, incident report, or public statement confirming the North Korean attribution has been independently verified. Separate secondary reporting referenced a suspicion voiced by a Ledger executive rather than a formal Elliptic conclusion, making the attribution a working theory rather than a settled finding.
The distinction matters. If confirmed, a state-backed attack on a major Solana protocol would mark one of the largest North Korea-linked crypto thefts in 2026 and could trigger sanctions-related compliance obligations across exchanges and bridges that processed the stolen funds.
How the Drift exploit unfolded on April 1
Drift Protocol announced on April 1, 2026 that it was experiencing an active attack. The protocol immediately suspended deposits and withdrawals and said it was coordinating with security firms, bridges, and exchanges to contain the exploit.
PeckShield Alert estimated the initial loss from the Drift exploit at $285 million, making it one of the largest DeFi exploits this year.
$285M
PeckShield Alert estimated the initial Drift exploit loss at $285 million.CertiK Alert provided a lower figure, reporting that Drift appeared to suffer about $136 million in losses and flagging roughly $109 million concentrated in a single wallet. The discrepancy between the PeckShield and CertiK estimates likely reflects different methodologies for tracking fund movements versus confirmed protocol losses.
Decrypt reported that transfers to the attacker address exceeded $250 million based on Arkham Intelligence data, placing the incident’s scale closer to PeckShield’s upper estimate. The gap between observed transfers and confirmed losses remains under investigation.
Phantom, the most widely used Solana wallet, responded by adding a required warning banner for users attempting to access Drift through its interface. The wallet’s security team launched its own investigation into the incident, a step that underscored the severity of the exploit across the Solana ecosystem.
Why a North Korea link would reshape the response
If Elliptic’s reported attribution holds, the Drift exploit would fall into a pattern of increasingly large attacks tied to North Korean cyber units. Background reporting from TechCrunch noted that North Korean groups were responsible for a significant share of crypto theft observed in 2025, though that reporting was general and not specific to the Drift incident.
A confirmed state-sponsored attacker changes the compliance calculus for every entity that touched the stolen funds. Exchanges, bridges, and OTC desks that processed tokens from the attacker wallet could face sanctions exposure under U.S. Treasury OFAC designations if the funds are traced to a sanctioned North Korean entity. This dynamic has played out before in incidents such as the Ronin Bridge exploit, where OFAC added the attacker’s Ethereum address to its sanctions list.
For DeFi protocols operating on Solana, the incident raises questions about cross-chain bridge security and the speed at which stolen funds can be frozen. Drift said it was working with bridges and exchanges to contain the exploit, but the decentralized nature of on-chain transfers means that a determined attacker can move funds across chains faster than coordinators can blacklist addresses. Initiatives like AI-driven wallet security tools and on-chain monitoring have gained attention as potential defenses, but none proved fast enough to prevent the initial outflow in this case.
Investigators and blockchain analytics firms now face the task of tracing fund movements across what is likely a complex web of wallets, mixers, and cross-chain bridges. Elliptic, Chainalysis, and similar firms typically identify North Korean actors through wallet clustering, behavioral patterns, and overlap with previously sanctioned addresses.
What the incident means for Drift users and market confidence
The immediate market reaction was severe. DRIFT fell -26.40% over 24 hours, trading at $0.052 with its market capitalization dropping to roughly $30.4 million at fetch time.
-26.40%
CoinGecko data showed DRIFT down 26.40% over 24 hours at fetch time.Trading volume surged to over $67.5 million in 24 hours, far exceeding the token’s remaining market cap, a signal of panic selling and speculative positioning. The broader crypto market reflected the shock as well: the Fear and Greed Index sat at 12, deep in “Extreme Fear” territory, though that reading captures market-wide sentiment rather than Drift-specific reaction alone.
With deposits and withdrawals suspended, Drift users currently have no way to move funds off the protocol. The team has not announced a timeline for restoring access. Users who had open positions, whether perpetual futures, lending deposits, or liquidity provisions, face uncertainty about whether their balances will be fully recoverable.
The protocol’s response so far has focused on coordination rather than disclosure. Drift confirmed the attack and the suspension of services but has not published a technical postmortem or identified the vulnerability that was exploited. Until that information is released, users and security researchers cannot assess whether the root cause has been patched or whether other Solana protocols using similar architecture are at risk.
For on-chain prediction and DeFi platforms more broadly, the Drift exploit adds to a growing list of nine-figure security incidents that test user trust in non-custodial protocols. The incident is likely to accelerate demand for protocol insurance products and more rigorous audit standards, particularly for platforms handling leveraged trading where a single exploit can drain hundreds of millions in user deposits.
FAQ about Elliptic’s Drift attack attribution
Who is Elliptic?
Elliptic is a blockchain analytics company founded in London in 2013. It provides transaction monitoring, compliance screening, and investigative tools used by exchanges, financial institutions, and law enforcement agencies to trace illicit crypto flows. The firm has previously identified wallets linked to sanctioned entities, ransomware groups, and state-sponsored hackers.
Has the North Korean link been officially confirmed?
No. As of April 2, 2026, no directly published Elliptic report, law enforcement statement, or sanctions filing has confirmed that the Drift exploit was carried out by a North Korean hacker group. The attribution remains based on unconfirmed secondary reporting and should be treated as a working suspicion, not an established fact.
Why does it matter whether the attacker is North Korean?
North Korean cyber units, particularly the Lazarus Group, are subject to international sanctions. If the Drift attacker is linked to a sanctioned entity, any exchange, bridge, or service that processes the stolen funds could face legal liability. This also means that asset freezes and blacklisting of attacker wallets can be enforced more aggressively under existing sanctions frameworks, though enforcement across decentralized protocols remains challenging.
What should Drift users do right now?
Drift has suspended deposits and withdrawals. Users cannot currently move funds. The safest course is to monitor official Drift channels for updates on when access will be restored and whether a compensation plan or fund recovery effort will be announced. Users should also be cautious of phishing attempts, as attackers frequently target victims of exploits with fake recovery tools. Wallet providers like Phantom have already added warning banners to flag the risk.
How do the loss estimates differ?
PeckShield estimated the exploit at $285 million. CertiK reported approximately $136 million in confirmed losses, with $109 million concentrated in a single wallet. Arkham Intelligence data cited by Decrypt showed over $250 million in transfers to the attacker address. The variation reflects different tracking methodologies: some firms count all funds that moved to attacker-controlled addresses, while others count only funds confirmed as permanently lost from the protocol. A definitive figure will likely emerge only after Drift publishes a full postmortem.
The broader market impact of the exploit extends beyond Drift itself. Solana-based DeFi protocols have seen increased scrutiny, and the incident comes amid a period where macroeconomic uncertainty is already weighing on risk appetite across crypto markets. Whether the North Korean attribution is ultimately confirmed or not, the scale of the Drift exploit alone makes it a defining security event for the Solana ecosystem in 2026.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
Source: https://coincu.com/scam-alert/elliptic-drift-attack-north-korean-hacker-group/
