North Korean Hackers Target Solana: Can SOL Hold Ground After Two Strikes in Eight Days?

Solana’s DeFi ecosystem is facing a security threat that, according to multiple reports, is linked to a nation-state rather than a software flaw. Over an eight-day span, North Korean operatives were allegedly involved in draining $285M from Drift Protocol and placing a suspected agent inside a separate Solana exchange as its chief technology officer. While SOL price data remains unclear amid the turmoil, the security narrative around SOL USD has intensified.

Stabble urges liquidity withdrawal after alleged North Korean link

Solana-based decentralized exchange Stabble urged users to withdraw liquidity on Tuesday after pseudonymous on-chain investigator ZachXBT identified the protocol’s former CTO, operating under the name Keisuke Watanabe, as an alleged North Korean hacker.

“Our latest update: We can confirm now until one year ago we had a NK developer in the team. He was backed by other north Korean that supported his work. We thank @derparsel and @zachxbt for their work. Historically we have done audits with Sec3 and neodyme – everything looked…”

In a separate update, Stabble said the protocol had been handed over to a new management team and that it is conducting security audits. No exploit was disclosed.

DeFiLlama data shows Stabble began the day with approximately $1.75M in total value locked (TVL). After the emergency alert, TVL fell 62% to under $663,000. The new team posted “EMERGENCY!” and told users to temporarily withdraw liquidity “instantly.”

Drift Protocol hack confirmed as DPRK operation

The Stabble incident follows the April 1 hack of Drift Protocol, in which $285M was allegedly stolen. TRM Labs, Elliptic, and Chainalysis confirmed the operation as DPRK-linked, describing it as the largest DeFi exploit of 2026.

The Drift attack was executed in approximately 10 seconds through social engineering, oracle manipulation, and pre-signed durable nonce transactions. Stolen funds were reportedly swapped into USDC and SOL, then bridged to Ethereum via CCTP—creating direct, measurable sell pressure on SOL at a time when broader crypto markets were already dealing with macro uncertainty.

Market question: whether Solana’s edge is being targeted

The sequence of events raises a structural concern for investors: whether Solana’s performance advantage is being systematically exploited. A key technical risk scenario would involve additional exploits and further fund-tracing actions by TRM Labs and Elliptic prompting exchange freezes.

In the base case, the expectation is containment. The Solana Foundation’s ecosystem security programs are described as already active, and Stabble’s transparency is presented as a factor that may limit contagion.

Price outlook signals and uncertainty

Precise 24-hour SOL price figures were not available at the time of writing. However, one market comment cited a “textbook bearish flag,” describing a consolidation-to-breakdown sequence and noting a potential move toward the $45 zone if the pattern repeats.

Tail-risk framing and potential impact on SOL

On the bull side, the case depends on a clean audit outcome for Stabble and the absence of additional DPRK-linked incidents. That condition is described as difficult to reconcile with prior reporting that North Korea stole $2Bn in crypto during 2025—about 60% of global crypto hacks that year.

Elliptic characterized the Drift attack as “a continuation of DPRK’s sustained campaign” to fund weapons programs. That state-adversary framing, rather than an opportunistic hacking pattern, is presented as a change in how investors may need to model tail risk for Solana-native positions.