Drift Protocol exploit on Solana ties Lazarus to Bybit $1.4B hack
A Drift Protocol exploit on Solana is reportedly linked to the North Korea-linked Lazarus hacker group, with on-chain wallet forensics pointing to the same actors behind Bybit’s $1.4B hack. The Drift Protocol exploit was not limited to one multisig: funds were moved to new Security Council members’ wallets, which were then compromised using pre-signed transactions prepared on March 31.
Researchers citing DivergSec analysis plus reports from Elliptic and TRM Labs say wallet behavior matches Lazarus patterns: initial funding via Tornado Cash, rapid bridging to ETH, and subsequent fund consolidation/mixing. Lazarus has conducted 18 attacks year-to-date, according to Elliptic.
Impact across the Solana DeFi ecosystem is widening. Drift still holds about $232M TVL (down from $550M+), while multiple protocols lost funds or had vaults frozen. Examples include Reflect Money (USD+ yield), DeFi Carrot (50% TVL loss, CRT tokens affected), Ranger Finance (rUSD exposure), PiggybankFi (about $106K), Project0 (paused loans), and Pyra (all funds drained). At least 11 protocols have been affected so far.
Drift also sent an on-chain message to ETH wallets holding hack proceeds, suggesting it identified the parties involved. Traders should watch SOL liquidity, DeFi lending risk premia, and further alerts/claims from investigators as funds tracking continues.
Bearish
This news is broadly bearish because it reinforces a pattern of coordinated, professional DeFi attacks that extend beyond a single contract. The claimed Lazarus link (also attributed to the Bybit $1.4B incident) raises the likelihood of further exploits, token sell-pressure, and tighter liquidity for Solana DeFi lending/yield strategies.
In the short term, traders typically react to: (1) higher perceived smart-contract and operational risk, (2) liquidity withdrawals from protocols with Drift exposure, and (3) volatility spikes in SOL as TVL falls and users reassess bridge/mitigation assumptions. Similar attribution-driven headlines have historically led to risk-off behavior across DeFi sectors, not just the exploited protocol.
In the long term, outcomes depend on whether investigators can identify/slow further fund movement and whether affected protocols implement stronger timelocks, multisig protections, and monitoring. Drift’s on-chain message and the ongoing tracking could slightly improve confidence, but the “zero-timelock/protocol change risk” criticism and widening contagion to multiple venues suggest the sector’s risk premium is likely to remain elevated.