Drift Protocol, one of Solana’s flagship decentralized perpetuals exchanges, was drained of approximately $285 million on April 18 in what now stands as the largest single exploit in the network’s history. On-chain investigators have traced the attack pattern to techniques previously attributed to North Korea’s Lazarus Group.
The attack unfolded over roughly 90 minutes during low-liquidity Asian trading hours – a timing choice that security researchers say is characteristic of state-sponsored operations. Drift’s team confirmed the breach via X at 04:17 UTC, urging users to withdraw remaining funds from the protocol while they paused all contract interactions.
How the Exploit Worked
Preliminary analysis from blockchain security firm Halborn points to a sophisticated oracle manipulation attack combined with a flash loan amplifier. The attacker deployed a series of contracts that exploited a rounding error in Drift’s price feed aggregation – a vulnerability that had existed since the protocol’s V2 upgrade in late 2025.
The sequence went like this: the attacker borrowed $40 million in SOL through a flash loan, used it to skew the oracle price on a thinly traded perpetual pair, then opened massive used positions on the manipulated price. When the oracle corrected, the positions were closed at an artificial profit, draining the insurance fund and liquidity pools simultaneously.
“This wasn’t a brute-force attack,” said Rob Behnke, co-founder of Halborn. “Someone spent weeks studying Drift’s oracle aggregation logic and found a mathematical edge case. The level of preparation is consistent with what we see from state-level actors.”
The North Korea Connection
ZachXBT, the pseudonymous on-chain investigator, published a thread within hours of the exploit linking wallet clusters used in the attack to addresses previously associated with the Lazarus Group. Specifically, the stolen funds were routed through a series of intermediate wallets before being bridged to Ethereum via Wormhole, then split across multiple Tornado Cash deposits.
The FBI’s cryptocurrency unit has reportedly opened an investigation, though the agency hasn’t issued a public statement. South Korea’s National Intelligence Service flagged the incident in a brief to lawmakers, according to a report from Yonhap News.
If confirmed, this would mark the Lazarus Group’s first major Solana exploit. The group has previously targeted Ethereum-based protocols, most notably the $625 million Ronin Bridge hack in 2022 and the $100 million Harmony Bridge attack the same year.
Drift’s Response
Drift’s founding team moved quickly to contain the damage. Within four hours of the attack, all smart contracts were paused. The protocol’s insurance fund, which held roughly $18 million before the exploit, was entirely wiped out.
In a governance post on April 19, Drift proposed a recovery plan that includes issuing a “recovery token” to affected liquidity providers and launching a $50 million fundraise to partially backstop losses. Several Solana system funds have expressed interest in participating, though none have committed publicly.
“We take full responsibility for the vulnerability,” wrote Cindy Leow, Drift co-founder, in the proposal. “But we also need the system’s support. This attack was designed to hurt all of Solana DeFi, not just Drift.”
Wider Impact on Solana
SOL dropped 8.3% in the 24 hours following the exploit, touching $142 before partially recovering. Total value locked across Solana DeFi fell by $900 million as users rushed to withdraw from protocols with similar oracle architectures.
The hack has reignited a long-running debate about Solana’s security posture. Critics point to the network’s history of outages and the relatively concentrated validator set as structural risks. Supporters counter that the exploit targeted application-layer code, not the base chain itself.
Mert Mumtaz, co-founder of Helius Labs, pushed back against the narrative. “Drift had a bug in their code. That’s not a Solana problem. Every chain has protocol-level exploits. Ethereum has had bigger ones in absolute terms.”
What Happens Next
The crypto security community is now watching three developments. First, whether law enforcement can freeze any portion of the stolen funds before they’re fully laundered. The Tornado Cash deposits suggest the attacker is racing to obscure the trail. Second, whether Drift’s recovery plan gains enough community support to move forward. And third, whether this triggers a broader audit cycle across Solana DeFi protocols.
For Solana, the timing is particularly bad. The network had been enjoying a renaissance in developer activity and TVL growth throughout early 2026. This single incident threatens to undermine months of momentum.
The $285 million figure also places the Drift exploit in the top five crypto hacks of all time, joining an unwelcome list that includes Ronin, Poly Network, and the Wormhole bridge exploit. If the Lazarus attribution holds, it will be another reminder that state-backed hackers remain the most dangerous threat in decentralized finance – and that no chain is immune.
