The Drift Protocol, widely considered to be the largest perpetual futures exchange operating on the Solana blockchain, became the focal point of a highly coordinated attack on April 1, 2026, which is rapidly turning into one of the most significant breaches in decentralized finance this year.
In addition to revealing a vulnerability within one platform, this incident highlighted the sophistication of threat actors operating throughout the crypto ecosystem, which has increased over the years. Elliptic estimates that approximately $286 million was siphoned during the attack, with a pattern of transactions, asset movements, and laundering processes that resembled operations previously attributed to North Korean state-linked groups.
The breach would represent the eighth incident of this type recorded during the current year alone, contributing to a cumulative loss of over $300 million, should attribution be formally established. In general, it is indicative of the persistence of a strategic campaign in which upwards of $6.5 billion in cryptoassets have been exfiltrated in recent years activity that has been repeatedly linked to the financing of the country’s weapons development programs by U.S. authorities.
According to Elliptic’s analysis released on Thursday, the $285 million exploitation event has multiple layers of alignment with operational patterns traditionally associated with North Korea’s state-sponsored cyber units, making it the largest recorded incident this year.
Not only is the sequence of transactions on the blockchain highlighted in the assessment, but also obfuscation techniques are systematically employed, including staging asset dispersal and laundering pathways that mimic prior state-linked campaigns. As well as telemetry and interaction signatures, network-level interactions strongly suggest that a coordinated, well-resourceful intrusion is more likely than an opportunistic one.
In response to the incident, Drift Protocol’s native token has declined by more than 40 percent, trading near $0.06. This reflects both immediate liquidity concerns and broader concerns about the platform’s security.
Since Drift is the most significant decentralized perpetual futures exchange in the Solana ecosystem, the compromise has implications that go beyond a single protocol, and it raises new concerns about systemic risk, adversarial persistence, and the resilience of decentralized trading infrastructures in the face of sustained, state-aligned threat activities.
A Drift Protocol internal assessment further suggests that the breach was the culmination of a deliberate and six-month intrusion campaign. The activity was attributed with moderate confidence to a North Korea-aligned threat cluster identified as UNC4736.
There are numerous aliases for this actor, including AppleJeus, Citrine Sleet, Golden Chollima and Gleaming Pisces.
This group has a long history of financial motivated intrusions within the cryptocurrency threat landscape, as evidenced by its track record of financial motivations. It is noteworthy that the group’s past activity has been associated with high-impact incidents such as the X_TRADER and 3CX supply chain compromises of 2023 and the Radiant Capital breach of late 2024, both of which resulted in $53 million losses.
As a consequence of Drift’s analysis, transacti
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: