Drift Protocol hack traced to group behind Bybit exploit - Coinfea

The recent exploit of Drift Protocol has been tied to North Korean hackers, possibly the same group that exploited Bybit for over $1.4B. The exploit affected multiple DeFi apps across the Solana ecosystem. Drift Protocol analysis shows the exploit was possibly performed by North Korea’s Lazarus Group, the same threat actors behind several other attacks.

Based on DivergSec analysis and reports by Elliptic and TRM Labs, new information about the exploit is emerging. The attacker did not just compromise the Drift Protocol multisig once. Drift migrated some of its multisig wallets to new Security Council members. Within three days, the attacker compromised the new multisig and prepared with pre-signed transactions on March 31, a day before the attack.

Drift Protocol incident tied to North Korean hackers

The specific usage of wallets points to the Lazarus Group modus operandi, with a wallet first funded by Tornado Cash, rapid multi-chain bridging to ETH, and consolidating the funds for mixing. Based on Elliptic’s research, Lazarus has performed 18 attacks in the year to date. Researchers will cooperate with the Drift Protocol team to track the funds. Drift Protocol announced that critical information about the involved parties has been discovered.

In addition, the team sent messages to the four identified wallets currently holding the proceeds of the hack. The message suggested Drift Protocol may have known the identity of the hackers. The community speculates about possible insider access or project infiltration. Despite this, Drift Protocol was still criticized for having a zero timelock on protocol-level changes, allowing the exploiter to drain liquidity immediately.

Drift Protocol retains $232M in value locked, down from over $550M. Multiple protocols that used Drift for yield have had their funds stolen or frozen in whole or in part. SOL recovered above $80 after a brief dip in response to the hack. The hack affected Reflect Money for its USD+ farming yield. DeFi Carrot lost 50% of its TVL in Drift, and CRT tokens were also affected. Ranger Finance was exposed through rUSD. PiggybankFi lost $106K from deposits into Drift Protocol.

Project0 paused loans against Drift vaults. Other projects, including Pyra, which lost all its funds, and XPlace, which mainly used Drift for yield. Elemental DeFi was only exposed through a USDC vault. Some of the protocols only had their funds on hold until security is improved. Eleven projects were affected so far, not counting the general sentiment repercussions and loss of trust in DeFi lending.

A total of 35 DeFi protocols have been exploited in 2026 to date, with an accelerating trend and more organized attacks. Around $453M was extracted from DeFi, showing it is still a high-risk sector. The hacks undermine the narrative that DeFi would be a suitable way to gain yield with minimal risk.