Drift is exposed to be linked to North Korean hackers, causing panic in Solana DeFi.

A Six-Month Scam Cracked DeFi Trust Open

It’s not by coincidence that the market suddenly turned its focus to Drift Protocol. This is a feedback loop where fear amplifies itself—right when the forensics report became public, it happened to line up with the fact that the Solana ecosystem was already stretched thin by macro factors. In the past 24 hours, discussions exploded—not because the hackers found a code vulnerability, but because they “made friends” for six months, and the investigation points to a North Korea state-level hacking group. The impact on traders is like a sudden reversal in funding rates: everyone starts re-evaluating just how fragile DeFi really is. Timing is crucial: on April 5, Drift’s official X account confirmed UNC4736’s involvement, instantly escalating the incident into a geopolitical talking point—reminding people of those two occasions involving Ronin and Radiant Capital.

What really ignited the emotions is how this got embedded into Solana perpetuals’ greed-fear feedback loop. This attack smashed TVL from $550 million down to $300 million, and the details spread fast: flirting at an in-person conference, hiding behind a shell posing as a quantitative firm. It’s not that a North Korea hack is something new (it has long stopped being new); what’s new is that this exposed how severely everyone has underestimated the risk of social engineering. Everyone is chasing yield, and no one seriously checked who was actually behind the code repository.

Why State-Level Hackers Suddenly Became the Focus

First, let’s clear away the noise. The claim of “the biggest DeFi loss of 2026” is a bit exaggerated. Yes, $285 million is painful, but Wormhole’s incident was bigger, and the market wasn’t this panicked then. The amount isn’t the key issue. What really puts traders on edge is the attacker’s patience—six months of groundwork. This turns Drift from a seemingly dependable perpetual DEX into the typical case of “trust verification failed.”

• Traders placing bets: protocols like Drift expose the real weaknesses of Solana’s “speed-first” route.
• This price action shows that the tail risk of governance tokens has long been underestimated. DRIFT dropping to $0.03 looks more like an overreaction—if the forensics confirm everything is clean, there may be room for a rebound.
• Discussions about token transfers (for example, the team transferring $2.44 million to exchanges) are attention-grabbing noise. It can draw interest, but it doesn’t provide much reference value for judging North Korea–related positions.
• I’m not too optimistic about the short-squeeze narrative. This feels more like a throwback story from 2022, not a real turning point in the cycle.

The deeper story is that security researchers (like ZachXBT) dismantled Lazarus’s sub-cells, distinguishing casual phishing from this kind of mature operation. As a result, attention shifted away from Drift’s technology (which, at the on-chain level, actually holds up) and toward “people,” this new attack surface. Now, every idle chat at conferences starts to feel a little suspicious.

My take differs from the market: people treat North Korea as a survival-level threat, but it’s more like a “state-level long-term assignment”—terrifying, but not an apocalypse. That leads to protocols like Drift—already audited and diligent at the on-chain level—being punished excessively.

My conclusion: this wave of panic will pass. It amplifies tail risk, but the real capital will flow back into DeFi that has been tested. If the forensics confirm that the damage is controllable, this pullback is something you can buy. Solana’s speed advantage matters far more than these “ghosts.”