Ledger CTO Charles Guillemet reportedly suspects the roughly $280 million Drift Protocol exploit is linked to North Korean threat actors, adding a geopolitical dimension to one of the largest Solana-based security incidents on record. The claim, which has not been confirmed by any forensic investigation or official postmortem, surfaced through unverified reports as the Solana DeFi protocol scrambled to contain the fallout.
Ledger CTO flags possible North Korea link in Drift Protocol hack
According to unconfirmed reports, Guillemet drew parallels between the Drift incident and the 2025 Bybit hack, suggesting the attack pattern resembles operations previously attributed to North Korean cyber units. No primary post from Guillemet or forensic attribution from a security firm was available to confirm the suspected link at the time of writing.
The exploit itself is well documented. Drift Protocol said on April 1 that it was experiencing an active attack and had immediately suspended deposits and withdrawals. The team added it was coordinating with security firms, bridges, and exchanges to contain the breach.
Security tracker PeckShield estimated the loss at roughly $285 million, making it one of the largest DeFi exploits of 2026.
What the report says about the attack and attribution
Early analysis from Decrypt’s reporting pointed to a leaked or compromised admin key as the likely attack vector, with the protocol’s fee vault identified as the primary target. DeFiLlama classified the incident as a private key compromise carried out through social engineering.
The distinction between a suspected state-linked operation and a conventional exploit matters. If the North Korea connection were ultimately confirmed through forensic evidence, the incident would shift from a protocol-level security failure to a sanctions and compliance story with broader regulatory implications.
For now, the attribution chain remains thin. The Guillemet claim circulated through secondary channels, and no law enforcement agency, blockchain forensics firm, or official Drift statement has corroborated a link to any specific threat group. Readers should treat the North Korea angle as an emerging allegation, not an established finding.
Ecosystem response and market impact
The response across the Solana ecosystem was immediate. Phantom, the widely used Solana wallet, said users accessing Drift through its interface would see a required security warning while its team investigated the situation. That kind of wallet-level flagging signals the severity ecosystem partners assigned to the incident.
DRIFT token pricing reflected the shock. CoinGecko data showed the token trading at $0.0577, down 18.94% over 24 hours, with its market cap falling to roughly $33.91 million. Trading volume surged to $64.8 million over the same period, several multiples of normal activity.
The broader crypto market was already under pressure. The Fear and Greed Index sat at 12, deep in “Extreme Fear” territory, before the Drift news broke. The exploit added to a risk-off environment that has also seen divergent ETF flows across BTC, ETH, and XRP in recent sessions.
Why the alleged link matters for crypto market watchers
The scale of the reported loss alone makes the Drift exploit significant. A $285 million drain ranks among the largest DeFi hacks in any year, and it lands on Solana, a network that has been competing with Ethereum for DeFi activity through much of 2026.
If a state-linked threat actor were ultimately confirmed, the implications would extend well beyond Drift. Previous incidents attributed to North Korean groups, including the Bybit exploit Guillemet reportedly referenced, prompted industry-wide reviews of key management practices and led to increased scrutiny from regulators monitoring sanctions compliance.
Institutional participants watching the space, including firms like Metaplanet that have been building large crypto positions, pay close attention to systemic security risks. A confirmed nation-state attack on a major DeFi protocol would raise questions about the security posture of the broader ecosystem.
Until Drift releases an official postmortem and independent forensic firms complete their analysis, the North Korea connection remains a single-source allegation. What is confirmed is the exploit itself, its approximate scale, and the immediate damage to DRIFT holders and depositors.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
