Elliptic said Thursday that the $285 million Drift Protocol exploit, the largest this year, bears “multiple indicators” of North Korea’s state-sponsored DPRK hacking group involvement.
The research firm specifically pointed to onchain behavior, money laundering methods and network-level signals that are all consistent with previous state-linked attacks.
Drift Protocol, whose token has fallen over 40% to around $0.06 since the hack, is the largest decentralized perpetual futures exchange on the Solana blockchain.
“If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far,” the report said.
“It is a continuation of the DPRK’s ongoing campaign of large-scale theft of cryptoassets, which the US government has linked to the funding of its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in theft of cryptoassets in recent years,” Elliptic added.
Hours earlier, Arkham data showed that over $250 million had been moved from Drift to a temporary wallet and then to various other addresses.
In December, a Chainalysis report revealed that DPRK hackers stole a record $2 billion of crypto in 2025, including the $1.4 billion Bybit breach, representing a 51% increase from the previous year. The U.S. Treasury Department said last month that North Korea is using the stolen assets to fund its weapons of mass destruction program.
Rather than focusing on the exploitation itself, Elliptic’s analysis highlights a well-known operational pattern. The activity appears “premeditated and carefully staged”, with early test transactions and pre-placed wallets ahead of the main event.
The report explains that once executed, the funds were quickly consolidated and exchanged, bridged across chains and converted into more liquid assets, reflecting a structured, repeatable money laundering flow designed to hide origins while maintaining control.
A key challenge, Elliptic notes, is Solana’s account model. Because each asset is held in a separate token account, activity associated with a single actor can appear fragmented across multiple addresses. Without connecting these, investigators risk seeing “fragments of the attacker’s activity, not the complete picture.”
This is where Elliptic’s report highlights the clustering approach, which links token accounts back to a single entity, making it possible to identify exposure regardless of the address being screened. In an incident involving more than a dozen asset types, this device-level view becomes critical.
The case also underlines, Elliptic adds in its report, how money laundering has by its very nature been cross-linked. Funds were moved from Solana to Ethereum and beyond, demonstrating the need for what Elliptic described as “holistic cross-chain tracing capabilities.”
