Who Was Behind Yesterday’s Massive $286 Million Altcoin Hack Has Been Revealed

Drift Protocol, one of the largest decentralized futures platforms in the Solana ecosystem, made headlines yesterday following a large-scale cyberattack.

According to an analysis by blockchain analytics company Elliptic, approximately $286 million worth of cryptocurrency was stolen in the attack. Initial findings suggest the attack may be linked to individuals with ties to North Korea.

Elliptic stated that the on-chain movements, money laundering methods, and network behavior used in the attack showed similarities to operations previously linked to North Korea. If this connection is confirmed, this would be the 18th attack linked to North Korea in 2026. The company noted that the total amount stolen in such attacks since the beginning of the year has exceeded $300 million, and that North Korea-linked groups are estimated to have stolen more than $6.5 billion in crypto assets in recent years.

Shortly after the attack began, it was reported that the attacker systematically withdrew funds from multiple asset vaults in the protocol, effectively draining a large portion of the liquidity. Blockchain security firm PeckShield stated that the likely cause of the attack was the compromise of the administrator’s private keys. This allowed the attacker to gain privileged access to the system, initiating withdrawals and modifying governance parameters.

The attack specifically targeted JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. Approximately 41.7 million JLP tokens (worth about $155 million) were reportedly withdrawn in a single transaction. USDC, SOL, cbBTC, wBTC, and various other liquid staking tokens were also seized in the attack.

Related News: Chief Economist Joe Lavorgna: “No One Is Reading This Correctly; the Fed Has Entered a Dovish Phase”

Data platform DefiLlama announced that the total value locked (TVL) of Drift Protocol dropped from approximately $550 million to below $250 million following the attack. This event, recorded as the largest DeFi attack of 2026, is the second largest security breach in the Solana ecosystem after the Wormhole bridge attack.

The Drift team confirmed in a statement on social media that the platform was under “active attack” and announced that deposit and withdrawal transactions were temporarily suspended. The team also stated that they were working in coordination with various security firms, bridge protocols, and exchanges.

According to on-chain data, the wallet used by the attacker was created approximately eight days before the attack and performed a small test transfer during that time. This suggests that the attack may have been premeditated and executed in stages.

The attacker quickly converted most of the compromised assets to USDC via a Solana-based DEX aggregator. These funds were then bridged to the Ethereum network and converted to ETH. Elliptic stated that, thanks to multi-chain analytics tools, the movement of funds from Solana to Ethereum could be tracked.

The attack is considered part of a recent increase in North Korea-linked cyberactivity. Indeed, Google recently announced that a supply chain attack targeting its popular Axios npm package was also carried out by the North Korea-linked UNC1069 group.

*This is not investment advice.

Continue Reading: Who Was Behind Yesterday’s Massive $286 Million Altcoin Hack Has Been Revealed