Blockchain analytics firm Elliptic on Thursday flagged “multiple indicators” that North Korea’s state-sponsored hackers may be behind the $285 million exploit of Drift Protocol, the largest DeFi hack of 2026 so far that wiped out more than half of the Solana-based exchange’s total value locked.

Arthur Hayes, BitMEX co-founder, Maelstrom CIO, and Drift Protocol advisor, pointed the finger at Solana (CRYPTO: SOL) itself.

“If Solana had native multi sig addresses, would the Drift hack even have been possible? Actually curious, not trolling,” Hayes wrote on X.

Ledger CTO Charles Guillemet drew a direct comparison to the $1.4 billion Bybit hack of 2025, which the FBI attributed to North Korea’s Lazarus Group.

The pattern is nearly identical: compromised multi sig signers, social engineering, and malicious transactions disguised as routine operations.

The Lazarus Playbook

The hacker spent weeks setting up the attack.

They created a fake token called CarbonVote Token, seeded it with $500 in liquidity, and wash-traded it to fool Solana price oracles into treating it as legitimate.

On April 1, they used compromised admin keys to list the token on Drift, posted it as collateral, and drained real assets in 31 transactions over roughly 12 minutes.

Elliptic’s report noted the attack’s pre-positioned wallets, early test transactions, and structured laundering flow all mirror previous Lazarus operations.

The firm said this would represent the eighteenth DPRK-linked act it has tracked in 2026, with over $300 million stolen this year alone.

North Korean hackers reportedly stole a record $2 billion in crypto in 2025, according to Chainalysis. The U.S. Treasury has linked stolen crypto assets to Pyongyang’s weapons of mass destruction program.

Circle Sat On Its Hands

On-chain investigator ZachXBT accused Circle Internet Group (NYSE:CRCL), the issuer of USDC, of having six hours to freeze over $230 million in stolen stablecoins as they moved across more than 100 transactions via Circle’s own cross-chain bridge during U.S. business hours.

Circle had frozen 16 unrelated business hot wallets just days earlier in a sealed civil case. ZachXBT called the contrast evidence that Circle is a bad actor for the industry.

Benzinga reached out to Circle for comment. Circle is down 2% today, and 13% year to date.

Drift’s TVL collapsed from $550 million to under $300 million within the hour. The DRIFT token crashed over 40%. SOL fell 9% to an intraday low near $78.60.

Solana Foundation President Lily Liu said the incident “hits hard” but stressed the real targets are now “humans: social engineering and opsec weaknesses more than code exploits.”

Image: Shutterstock