Elliptic said Thursday that the $285 million Drift Protocol exploit, the largest this year, carries “multiple indicators” of involvement by the North Korean state-sponsored DPRK hacking group.
The research firm specifically pointed out on-chain behavior, laundering methodologies, and network-level signals, all of which align with previous state-linked attacks.
Drift Protocol, whose token has fallen more than 40% to approximately $0.06 since the hack, is the largest decentralized perpetual futures exchange on the Solana blockchain.
“If confirmed, this incident would represent the 18th DPRK act that Elliptic has tracked this year, with more than $300 million stolen so far,” the report says.
“It is a continuation of the DPRK’s sustained campaign of large-scale crypto asset theft, which the US government has linked to funding its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in crypto asset theft in recent years,” Elliptic added.
Hours earlier, Arkham data showed that more than $250 million had moved from Drift to a temporary wallet and then to several other addresses.
In December, a Chainalysis report revealed that DPRK hackers stole a record $2 billion in cryptocurrency in 2025, including Bybit’s leak of $1.4 billion, representing a 51% increase from the previous year. Last month, the U.S. Treasury Department said North Korea uses stolen assets to fund the country’s weapons of mass destruction program.
Rather than focusing on the exploit itself, Elliptic’s analysis highlights a familiar operating pattern. The activity appears “premeditated and carefully organized,” with early test transactions and wallets prepositioned before the main event.
The report explains that once executed, the funds were quickly consolidated and exchanged, connected cross-chain and converted into more liquid assets, reflecting a structured and repeatable laundering flow designed to conceal origin while maintaining control.
A central challenge, Elliptic notes, is Solana’s account model. Because each asset is held in a separate symbolic account, activity linked to a single actor can appear fragmented in multiple directions. Without linking them, researchers risk seeing “fragments of the attacker’s activity, not the full picture.”
This is where Elliptic’s report highlights the clustering approach, which connects symbolic accounts to a single entity, allowing exposure to be identified regardless of which direction is analyzed. In an incident involving more than a dozen asset types, that entity-level view becomes critical.
The case also emphasizes, Elliptic adds in its report, how money laundering has become inherently cross-chain. Funds moved from Solana to Ethereum and beyond, demonstrating the need for what Elliptic described as “holistic cross-chain tracking capabilities.”
