Elliptic said on Thursday that the $285 million Drift Protocol exploit was the largest this year and that there were “multiple indications” that North Korean state-backed North Korean hacking groups were involved.
The research firm singled out on-chain behavior, money laundering methods and network-level signals, all of which are consistent with previous state-related attacks.
Drift Protocol’s token, which is the largest decentralized perpetual futures exchange on the Solana blockchain, has fallen more than 40% to approximately $0.06 since the hack.
“If confirmed, this incident would be the 18th North Korean act tracked by Elliptic this year, with more than $300 million stolen to date,” the report said.
“This is a continuation of North Korea’s ongoing massive crypto-asset theft campaign, which the U.S. government has linked to funding its weapons programs. Actors associated with North Korea are believed to be responsible for billions of dollars in crypto-asset theft in recent years,” Elliptic added.
A few hours ago, Arkham data showed that more than $250 million had been transferred from Drift to a temporary wallet and then to various other addresses.
In December, a report by Chainaanalysis revealed that North Korean hackers stole a record $2 billion in cryptocurrency in 2025, including the $1.4 billion Bybit data breach, a 51% increase from the previous year. The U.S. Treasury Department said last month that North Korea used stolen assets to fund the country’s weapons of mass destruction program.
Rather than focusing on the vulnerability itself, Elliptic’s analysis highlights a familiar pattern of operation. The event appeared to be “premeditated and orchestrated,” with early test transactions and pre-placed wallets taking place ahead of the main event.
The report explains that once executed, funds are quickly consolidated and exchanged, bridged across chains, and converted into more liquid assets, reflecting a structured, repeatable money laundering process designed to obscure the source while maintaining control.
Elliptic noted that a major challenge is Solana’s account model. Since each asset is held in a separate token account, activity related to a single participant may be spread across multiple addresses. Without linking these, investigators risk seeing “fragments of attacker activity rather than a complete picture.”
This is where Elliptic’s report highlights a clustering approach that connects token accounts back to a single entity to identify exposures regardless of which address is screened. In incidents involving more than a dozen asset types, entity-level views become critical.
The case also highlights how money laundering is inherently cross-chain, Elliptic added in its report. Funds are moving from Solana to Ethereum and beyond, demonstrating the need for what Elliptic describes as “holistic cross-chain tracking capabilities.”
