Elliptic said Thursday that the $285 million Drift Protocol exploit, the largest this year, has “multiple indicators” of the involvement of a state-sponsored hacking group from North Korea’s DPRK.
The research firm specifically highlighted on-chain behavior, laundering methodologies, and network-level signals, all of which correspond to previous state-linked attacks.
Drift Protocol, whose token has fallen more than 40% to around $0.06 since the hack, is the largest decentralized perpetual futures exchange on the Solana blockchain.
“If confirmed, this incident would represent the eighteenth act that Elliptic has tracked this year in the DPRK, with more than $300 million stolen so far,” the report said.
“This is a continuation of the DPRK’s sustained campaign of large-scale crypto-asset theft, which the US government has linked to funding its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in crypto-asset theft over the past several years,” Elliptic added.
Hours earlier, Arkham data showed that over $250 million had been transferred from Drift to a temporary wallet and then to various other addresses.
In December, a report from Chainalysis revealed that DPRK hackers stole a record $2 billion worth of crypto in 2025, including the $1.4 billion Bybit breach, representing a 51% increase from the previous year. The US Treasury Department said last month that North Korea was using the stolen assets to finance its weapons of mass destruction program.
Rather than focusing on the exploit itself, Elliptic’s analysis highlights a familiar operating pattern. The activity appears “premeditated and carefully organized,” with early test trades and pre-positioned wallets preceding the main event.
The report explains that once executed, funds were quickly consolidated and exchanged, moved between chains and converted into more liquid assets, reflecting a structured and repeatable laundering flow designed to mask origin while maintaining control.
A central challenge, Elliptic notes, is Solana’s account model. Because each asset is held in a separate tokenized account, activity related to a single actor may appear fragmented across multiple addresses. Without connecting these elements, investigators risk seeing “fragments of the attacker’s activity, not the full picture.”
This is where Elliptic’s report highlights the clustering approach, which links token accounts to a single entity, allowing exposure to be identified regardless of the address filtered. In an incident involving more than a dozen asset types, this entity-level view becomes essential.
The case also highlights, Elliptic adds in its report, how money laundering has become inherently cross-chain. Funds moved from Solana to Ethereum and beyond, demonstrating the need for what Elliptic described as “holistic cross-chain tracing capabilities.”
