Elliptic flags $285 million Drift exploit as a likely North Korea-linked operation

Elliptic said Thursday the $285 million Drift Protocol exploit, the largest this year, carries “multiple indicators” of North Korea’s state-sponsored DPRK hacker group involvement.

The research firm pointed specifically to onchain behavior, laundering methodologies and network-level signals, all of which align with previous state-linked attacks.

Drift Protocol, whose token has dropped over 40% to roughly $0.06 since the hack, is the largest decentralized perpetual futures exchange on the Solana blockchain.

“If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far,” the report said.

“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the U.S. government has linked to the funding of its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in cryptoasset theft in recent years,” Elliptic added.

Hours earlier, Arkham data showed that over $250 million had been moved from Drift to an interim wallet, then to various other addresses.

In December, a Chainalysis report revealed DPRK hackers stole a record $2 billion of crypto in 2025, including the $1.4 billion Bybit breach, representing a 51% increase from the previous year. The U.S. Treasury Department last month said North Korea uses the stolen assets to fund the country’s weapons of mass destruction program.

Rather than focusing on the exploit itself, Elliptic’s analysis highlights a familiar operational pattern. The activity appears “premeditated and carefully staged,” with early test transactions and pre-positioned wallets preceding the main event.

The report explains that once executed, funds were rapidly consolidated and swapped, bridged across chains, and converted into more liquid assets, reflecting a structured, repeatable laundering flow designed to obscure origin while maintaining control.

A central challenge, Elliptic notes, is Solana’s account model. Because each asset is held in a separate token account, activity tied to a single actor can appear fragmented across multiple addresses. Without linking these, investigators risk seeing “fragments of the attacker’s activity, not the complete picture.”

This is where Elliptic’s report highlights the clustering approach, which connects token accounts back to a single entity, allowing exposure to be identified regardless of which address is screened. In an incident involving more than a dozen asset types, that entity-level view becomes critical.

The case also emphasizes, Elliptic adds in its report, how laundering has become inherently cross-chain. Funds moved from Solana to Ethereum and beyond, demonstrating the need for what Elliptic described as “holistic cross-chain tracing capabilities.”