Elliptic said Thursday the $285 million Drift Protocol exploit, the biggest this 12 months, carries “a number of indicators” of North Korea’s state-sponsored DPRK hacker group involvement.
The analysis agency pointed particularly to onchain conduct, laundering methodologies and network-level indicators, all of which align with earlier state-linked assaults.
Drift Protocol, whose token has dropped over 40% to roughly $0.06 for the reason that hack, is the biggest decentralized perpetual futures change on the Solana blockchain.
“If confirmed, this incident would characterize the eighteenth DPRK act Elliptic has tracked this 12 months, with over $300 million stolen thus far,” the report mentioned.
“It’s a continuation of the DPRK’s sustained marketing campaign of large-scale cryptoasset theft, which the U.S. authorities has linked to the funding of its weapons applications. DPRK-linked actors are believed to be chargeable for billions of {dollars} in cryptoasset theft in recent times,” Elliptic added.
Hours earlier, Arkham data showed that over $250 million had been moved from Drift to an interim pockets, then to numerous different addresses.
In December, a Chainalysis report revealed DPRK hackers stole a document $2 billion of crypto in 2025, together with the $1.4 billion Bybit breach, representing a 51% enhance from the earlier 12 months. The U.S. Treasury Division last month said North Korea uses the stolen property to fund the nation’s weapons of mass destruction program.
Relatively than specializing in the exploit itself, Elliptic’s evaluation highlights a acquainted operational sample. The exercise seems “premeditated and punctiliously staged,” with early take a look at transactions and pre-positioned wallets previous the principle occasion.
The report explains that when executed, funds had been quickly consolidated and swapped, bridged throughout chains, and transformed into extra liquid property, reflecting a structured, repeatable laundering movement designed to obscure origin whereas sustaining management.
A central problem, Elliptic notes, is Solana’s account mannequin. As a result of every asset is held in a separate token account, exercise tied to a single actor can seem fragmented throughout a number of addresses. With out linking these, investigators danger seeing “fragments of the attacker’s exercise, not the whole image.”
That is the place Elliptic’s report highlights the clustering method, which connects token accounts again to a single entity, permitting publicity to be recognized no matter which deal with is screened. In an incident involving greater than a dozen asset sorts, that entity-level view turns into vital.
The case additionally emphasizes, Elliptic provides in its report, how laundering has turn into inherently cross-chain. Funds moved from Solana to Ethereum and past, demonstrating the necessity for what Elliptic described as “holistic cross-chain tracing capabilities.”
