DPRK / Behavioral$286M LossPublished 2026-05-22

Drift Hack Analysis: Four DPRK Wallets, Flagged on Behavior Alone

Q: How much was stolen in the Drift Protocol hack?

Approximately 286 million US dollars was drained from Drift Protocol, the largest perpetual futures exchange on Solana, on April 1, 2026. It is the largest DeFi hack of 2026 to date and one of the largest incidents in the Solana ecosystem.

Q: Who was behind the Drift hack?

Blockchain analytics firm Elliptic, along with TRM Labs and Chainalysis, linked the on-chain behavior and laundering pattern to the Democratic People's Republic of Korea, the same state-sponsored threat activity associated with the Lazarus Group. The attackers spent months posing as a quantitative trading firm before exploiting privileged access.

Q: What are the Drift hack wallet addresses?

On April 3, 2026, Drift Protocol sent on-chain messages publicly identifying four Ethereum wallets holding the bridged proceeds: 0xAa843eD65C1f061F111B5289169731351c5e57C1, 0xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C7, 0xbDdAE987FEe930910fCC5aa403D5688fB440561B, and 0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674.

Q: Did CredScore identify the Drift hackers?

No. Drift Protocol and blockchain analytics firms traced and attributed the funds through their own incident response. This is a retrospective analysis. The point is narrower and still significant: with no sanctions designation and no entity attribution for any of the four wallets, CredScore independently assigned all four its highest-risk Escalate verdict from observable on-chain behavior alone.

Q: Were the Drift wallets on a sanctions list?

No. At the time of analysis the four wallets carried no sanctions designation and no entity attribution in CredScore's data. A screening tool that only checks lists would clear them. CredScore escalated them on behavior: large value accumulated from many sources, held without spending, with no legible funding origin.

Q: Does CredScore analyze Solana?

Not yet. The Drift exploit happened on Solana, but the stolen funds were bridged to Ethereum, and the four wallets Drift named are Ethereum addresses. CredScore analyzed the Ethereum side. Solana coverage is on the roadmap and will be prioritized based on customer demand.

Q: Is the CredScore engine using machine learning?

No. The CredScore risk engine is fully deterministic. Every score traces back to observable on-chain signals through a documented pipeline, with no machine learning classifier and no black-box probability estimate. The same wallet produces the same verdict every time, which is what makes the output auditable and defensible in a regulated workflow.

Drift Protocol publicly named four Ethereum wallets holding the proceeds of the $286M April 2026 exploit. With no sanctions data and no entity attribution for any of them, CredScore returned the same verdict on all four: High Risk, Escalate.

By Wade Wickingson, founder of CredScore

TL;DR

On April 1, 2026, attackers drained roughly $286M from Drift Protocol on Solana, in an exploit investigators have linked to North Korea.
On April 3, Drift publicly named four Ethereum wallets holding the bridged proceeds via on-chain message.
Each wallet was run through CredScore with no sanctions designation and no entity attribution. To the engine, they were four anonymous addresses.
All four returned the same verdict: High Risk, score 38/100, Escalate, driven by the same behavioral pattern: large value accumulated from many sources, held without spending, no legible origin.
A list-based screen clears these wallets. Behavior does not. That is the gap this study is about.

On April 1, 2026, Drift Protocol, the largest perpetual futures exchange on Solana, lost approximately 286 million US dollars in what became the largest DeFi hack of the year. The attackers did not break any cryptography. They spent months posing as a quantitative trading firm to build trust with the protocol's contributors, then exploited privileged access to seize administrative control and drain the protocol. Within days, Elliptic, TRM Labs, and Chainalysis had independently linked the on-chain behavior and laundering methodology to the Democratic People's Republic of Korea.

This case study is not another incident recap. Those are already published by Elliptic and Chainalysis. What this study does is take the four Ethereum wallets that Drift Protocol itself publicly named as holding the stolen funds, run each one through the CredScore risk engine with no special configuration, and publish the result. The engine had no sanctions match and no entity label for any of these addresses. To CredScore, they were four anonymous strings of hex.

Every screenshot below is unedited output from a production CredScore analysis. The scoring logic is deterministic. No machine learning. Every flag has a written rationale, and every score traces back to an observable on-chain signal.

The four wallets Drift named

On April 3, 2026, the Drift team sent on-chain messages to the addresses holding the bridged proceeds, publicly identifying four Ethereum wallets. Those addresses, and the balance and inbound-source count CredScore observed for each at analysis time:

Wallet 10xAa843eD65C1f061F111B5289169731351c5e57C125,715 ETH from 36 sourcesHigh / 38 / Escalate

Wallet 20xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C724,882 ETH from 32 sourcesHigh / 38 / Escalate

Wallet 30xbDdAE987FEe930910fCC5aa403D5688fB440561B23,097 ETH from 31 sourcesHigh / 38 / Escalate

Wallet 40x0FE3b6908318B1F630daa5B31B49a15fC5F6B67456,568 ETH from 32 sourcesHigh / 38 / Escalate

Together the four held roughly 130,000 ETH at analysis time, worth hundreds of millions of dollars. Every one shared the same shape: value flowing in from dozens of distinct sources over about two months, and zero outbound transfers. Money in from everywhere, nothing out.

The verdict: four for four

CredScore verdict for Drift wallet 1: High Risk, score 38 out of 100, Escalate decision posture — All four wallets Drift publicly named, run through CredScore independently. Every one returned the same verdict: High Risk, score 38, Escalate. None carried a sanctions label or entity attribution. The verdict is driven entirely by on-chain behavior.

CredScore verdict for Drift wallet 2: High Risk, score 38 out of 100, Escalate decision posture — All four wallets Drift publicly named, run through CredScore independently. Every one returned the same verdict: High Risk, score 38, Escalate. None carried a sanctions label or entity attribution. The verdict is driven entirely by on-chain behavior.

The verdict was identical across all four addresses: High Risk, a score of 38 out of 100, and an Escalate decision posture, at 72 percent confidence. There was no manual review step and no list lookup that produced this. The engine reached it from the observable behavior of each wallet.

Wallet 1: the primary risk driver

CredScore primary risk drivers for the first Drift wallet, headlined by Unexplained high-value accumulation — The primary driver in every case was the same pattern, which CredScore labels Unexplained high-value accumulation: large value accumulated almost entirely through inbound transfers from many sources, held without spending, with no recognized exchange or known-good funding context.

The headline driver is a single behavioral pattern. CredScore describes it directly in the briefing: the wallet has accumulated large value almost entirely through inbound transfers from many sources, holds it without spending, and has no recognized exchange or known-good funding context. A large balance with an unexplained origin is not treated as a trust signal. It is a common holding pattern for stolen or illicit proceeds, and the engine says so, and recommends escalation until provenance is established.

Wallet 2: the written analyst briefing

CredScore written analyst briefing for the second Drift wallet, explaining the escalation in plain language — The briefing is generated deterministically from the signal set, not by a language model. It explains the escalation in plain language an analyst can act on and defend, and it cannot invent evidence that the analysis does not contain.

The briefing is the part a compliance analyst actually reads. It is assembled deterministically from the signal output, so every sentence is tied to a real value in the analysis. This matters for defensibility: a written justification that an auditor reviews months later has to match the numeric evidence exactly, not paraphrase it or embellish it.

Wallet 3: the transparent signal breakdown

CredScore signal breakdown for the third Drift wallet, showing each signal's point contribution to the score — The signal breakdown shows exactly how the score was built, point by point. Each contribution is labeled with its direction and rationale. There is no black box: an analyst or a regulator can audit the verdict signal by signal.

This is the part that separates a defensible engine from a guess. Every signal that moved the score is shown with its point value and a written reason. The accumulation pattern and the rapid-inflow behavior pull the score down. A handful of coverage signals nudge it up. The arithmetic is visible, deterministic, and reproducible. Run the wallet again tomorrow and you get the same breakdown.

Wallet 4: no sanctions, no attribution, escalated anyway

CredScore flags and behavior panel for the fourth Drift wallet, showing zero sanctions exposure and no entity attribution — The fourth and largest wallet, holding over 56,000 ETH. Zero sanctions exposure, no entity attribution, no mixer interactions. A list-based screen finds nothing here. CredScore still escalates it, on the accumulation pattern and repeated same-size routing alone.

This is the whole point of the study in one screenshot. The fourth wallet carries no sanctions designation, no entity label, and no mixer exposure. Every signal a list-based tool relies on comes back empty. And CredScore still escalates it, because the behavior is what gives it away, not a database entry.

Why this matters for compliance

Sanctions lists and attribution databases are lagging indicators. They get populated after investigators, victims, or governments do the work of proving a wallet is dirty, which can take days, weeks, or longer. In the gap between when stolen funds start moving and when an address finally lands on a list, a screening tool that only checks lists is blind. That gap is exactly where a compliance desk is most exposed.

Behavioral analysis closes that gap. The accumulation pattern that flagged all four Drift wallets was visible on-chain from the moment the funds arrived, long before any list could have caught up. CredScore reached the same conclusion a human investigation reached, using only the behavior that was observable the entire time. For a compliance team, the value is simple: an address does not have to be on a list to be dangerous, and the engine will tell you to stop and look before the list catches up.

What this study does not claim

An honest case study has to draw its own boundaries, so here are three things this analysis is explicitly not.

This is retrospective, not a discovery. The four wallets were already public when CredScore analyzed them. Drift Protocol and the analytics firms traced and attributed the funds through their own incident response, weeks before this analysis. CredScore did not catch the hack first and did not identify the attackers. The claim is narrower and still meaningful: the engine independently reaches the Escalate verdict with none of the attribution that was later established.

CredScore did not analyze the Solana side. The exploit happened on Solana, but the stolen funds were bridged to Ethereum, and the four wallets Drift named are Ethereum addresses. CredScore analyzed the Ethereum side only. Solana coverage is on the roadmap.

The verdict is decision support, not a legal conclusion. Unexplained high-value accumulation is a review trigger, not proof of wrongdoing. The same shape can describe a legitimate cold wallet, which is precisely why the engine says escalate and investigate, not guilty. In this case the wallets were independently confirmed to hold stolen funds, which is what makes them a useful ground-truth test.

What this case study proves

Four wallets, publicly confirmed to hold the proceeds of a major DPRK-linked exploit, none of them on any sanctions list, none of them carrying entity attribution. CredScore assigned all four its highest-risk Escalate verdict from observable behavior alone, with a written briefing and a signal-by-signal breakdown for each, produced in seconds, with no machine learning anywhere in the pipeline.

Enterprise blockchain analytics tools can reach comparable conclusions on these wallets, but behind a large annual contract and a multi-week procurement process. If you want a feature-by-feature comparison, see CredScore vs Chainalysis, CredScore vs TRM Labs, and CredScore vs Elliptic.

Run a wallet you already know

The best way to judge CredScore is not to read a case study. It is to paste in an address whose risk profile you already know and see whether the engine agrees with you. If you work in this field, you have a list of wallets where you know the right answer. Run a few and find out.

Open the desk

Paste any Ethereum wallet and see a full briefing in seconds: score, decision posture, signal breakdown, and entity context.

Try CredScore free View pricing More case studies

Frequently asked questions

How much was stolen in the Drift Protocol hack?

Approximately $286 million was drained from Drift Protocol, the largest perpetuals exchange on Solana, on April 1, 2026. It is the largest DeFi hack of 2026 to date.

Who was behind the Drift hack?

Elliptic, TRM Labs, and Chainalysis linked the exploit and its laundering pattern to North Korea (DPRK). The attackers posed as a quantitative trading firm for months before exploiting privileged access.

What are the Drift hack wallet addresses?

On April 3, 2026, Drift publicly named four Ethereum wallets holding the bridged proceeds: 0xAa843eD65C1f061F111B5289169731351c5e57C1, 0xD3FEEd5DA83D8e8c449d6CB96ff1eb06ED1cF6C7, 0xbDdAE987FEe930910fCC5aa403D5688fB440561B, and 0x0FE3b6908318B1F630daa5B31B49a15fC5F6B674.

Did CredScore identify the Drift hackers?

No. This is a retrospective analysis. Drift and the analytics firms attributed the funds first. The point is that CredScore independently escalated all four wallets on behavior alone, with no sanctions or attribution data.

Were the Drift wallets on a sanctions list?

No. They carried no sanctions designation and no entity attribution at analysis time. A list-based screen clears them. CredScore escalated them on behavior.

Does CredScore analyze Solana?

Not yet. The exploit was on Solana but the funds were bridged to Ethereum, and the named wallets are Ethereum addresses, which CredScore analyzed. Solana coverage is on the roadmap.

Is the CredScore engine using machine learning?

No. The engine is fully deterministic. Every score traces back to observable on-chain signals, so the same wallet produces the same auditable verdict every time.

Sources and further reading

Drift Protocol on-chain messages identifying the four ETH wallets (April 3, 2026)
Elliptic: Drift Protocol exploited for $286 million in suspected DPRK-linked attack
Chainalysis incident analysis: lessons from the Drift hack
TRM Labs: North Korean hackers attack Drift Protocol
DL News and CoinDesk reporting on the Drift exploit and attribution (April 2026)
CredScore engine documentation at /docs

Published 2026-05-22. Last updated 2026-05-22.

Analysis produced by CredScore. All screenshots are unedited output from a production analysis run. Wallet addresses referenced were publicly identified by Drift Protocol and are documented by multiple independent sources. This analysis is retrospective and is decision support, not a legal conclusion.