Ledger CTO says North Korea Behind $280M Drift Protocol Hack

• Drift Protocol lost $280 million after multisig signers machines were compromised, not smart contract flaws.
• A compromise of the 2-of-5 multisig signers weeks prior by North Korean actors enabled the hack.
• This hack sparks calls for stronger operational security governance across the DeFi industry.

Ledger CTO Charles Guillemet said North Korean-linked attackers may be behind the $280 million Drift Protocol hack on Solana. The exploit targeted multisig signers using social engineering, making it the largest DeFi hack of 2026 and raising new concerns about operational security.

Ledger CTO Links Drift Hack to North Korean Tactics

On April 2, 2026, Ledger CTO linked the April 1, 2026, $280 million hack of Drift Protocol, a leading Solana perpetual DEX, to tactics commonly used by North Korean threat actors. The stolen assets were quickly transferred, swapped into stablecoins, and partially bridged out, marking the largest DeFi hack of 2026 and one of the biggest on Solana.

In a detailed X post, Guillemet explained that attackers compromised the multisig days earlier, tricking signers into approving a malicious transaction by exploiting their machines or stolen private keys.

In the X post, Guillemet said,“similar to the Bybit hack last year, widely attributed to DPRK-linked actors.” He described the pattern as a patient, sophisticated supply-chain-level compromise targeting the human and operational layer, not the smart contracts themselves.

Compromise of 2-of-5 Multisig Signers Enabled Hack

Drift Protocols Security Council was governed by a 2-of-5 multisig that had been migrated just one week before the exploit. The setup required approval from only two of five signers and featured a zero-second timelock, allowing instant execution of any approved transaction.

Attackers reportedly tricked two signers into approving malicious transactions. These approvals were later executed to gain control of admin functions.

Drift Protocol confirmed the breach was not caused by a smart contract flaw. Instead, attackers compromised signer devices and approval workflows over several weeks.

Solana DeFi Security Debate Intensifies

The hack has triggered broader security discussions across the Solana ecosystem. Experts are calling for stronger multisig controls, hardware-backed signing, and improved monitoring.

Key players responded quickly to the hack, with BitMEX co-founder Arthur Hayes questioning whether native multisig addresses on Solana could have prevented the breach, sparking debate on protocol-level design versus human factors.