Analysts implicate North Korea's Lazarus hacker group in Drift Protocol exploit

The analysis of Drift Protocol’s recent exploit pointed to North Korean hackers, possibly the same group that exploited Bybit for over $1.4B. The exploit affected multiple DeFi apps across the Solana ecosystem. 

Drift Protocol analysis shows the exploit was possibly performed by North Korea’s Lazarus Group, the same threat actors behind Bybit and the Ronin bridge hack. 

New facts about the exploit are also emerging, based on DivergSec analysis and reports by Elliptic and TRM Labs. 

The attacker did not just compromise the Drift Protocol multisig once. Drift migrated some of its multisig wallets to new Security Council members. Within three days, the attacker compromised the new multisig and prepared with pre-signed transactions on March 31, a day before the attack.

The specific usage of wallets points to the Lazarus Group modus operandi, with a wallet first funded by Tornado Cash, rapid multi-chain bridging to ETH, and consolidating the funds for mixing. 

Based on Elliptic’s research, Lazarus has performed 18 attacks in the year to date. Researchers will cooperate with the Drift Protocol team to track the funds. 

Drift Protocol sends message to exploiters

Drift Protocol announced that critical information about the involved parties has been discovered. The team sent messages to the four identified wallets currently holding the proceeds of the hack. 

Critical information of parties related to the exploit have been identified. Drift is now sending an on-chain message from 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105 to the ETH Wallets that holds the stolen funds.

Wallet 1: 0xAa843eD65C1f061F111B5289169731351c5e57C1 (Timestamp…

— Drift (@DriftProtocol) April 3, 2026

The message suggested Drift Protocol may have known the identity of the hackers. The community speculates about possible insider access or project infiltration. Despite this, Drift Protocol was still criticized for having a zero timelock on protocol-level changes, allowing the exploiter to drain liquidity immediately.

Drift Protocol spread contagion to the Solana economy

Drift Protocol retains $232M in value locked, down from over $550M. Multiple protocols that used Drift for yield have had their funds stolen or frozen in whole or in part. 

SOL recovered above $80 after a brief dip in response to the hack. 

The hack affected Reflect Money for its USD+ farming yield. DeFi Carrot lost 50% of its TVL in Drift, and CRT tokens were also affected. Ranger Finance was exposed through rUSD. PiggybankFi lost $106K from deposits into Drift Protocol. 

Project0 paused loans against Drift vaults. Other projects, including Pyra, which lost all its funds, and XPlace, which mainly used Drift for yield. Elemental DeFi was only exposed through a USDC vault. 

Some of the protocols only had their funds on hold until security is improved. Eleven projects were affected so far, not counting the general sentiment repercussions and loss of trust in DeFi lending. 

A total of 35 DeFi protocols have been exploited in 2026 to date, with an accelerating trend and more organized attacks. 

Around $453M was extracted from DeFi, showing it is still a high-risk sector. The hacks undermine the narrative that DeFi would be a suitable way to gain yield with minimal risk. 

If you're reading this, you’re already ahead. Stay there with our newsletter.