Drift Protocol, the largest decentralized perpetual futures exchange on Solana, was exploited for approximately $285 million on April 2, 2026. Blockchain analytics firm Elliptic identified "multiple indicators" pointing to North Korea's state-sponsored DPRK hacker group — marking what would be the eighteenth DPRK-linked crypto attack this year, with over $300 million stolen so far in 2026.

Elliptic's analysis highlighted familiar laundering patterns: early test transactions, pre-positioned wallets, rapid asset consolidation across chains, and a structured flow designed to obscure the origin of funds. The group exploited Solana's account model, where each asset type occupies a separate token account, making attribution harder without entity-level clustering.

Circle in the Crossfire

Around $71 million was stolen directly in USDC, and the attacker later used Circle's cross-chain transfer protocol (CCTP) to bridge roughly $232 million more from Solana to Ethereum — complicating recovery efforts.

Blockchain investigator ZachXBT publicly questioned why Circle didn't act faster to freeze the funds. Circle responded that it only freezes assets "when legally required," citing compliance obligations and the risks of unilateral intervention.

The incident revived a long-running debate. Legal experts noted that preemptively blacklisting wallets without a court order could expose Circle to liability. Ben Levit of Bluechip called the situation a "gray zone" — the exploit involved oracle manipulation rather than a clean theft, making any freeze a judgment call, not a clear compliance decision.

Drift's token dropped more than 40% to around $0.06 in the aftermath. DPRK hackers reportedly stole a record $2 billion in crypto in 2025, and the pace in 2026 shows no sign of slowing.