Drift Protocol Hack: Elliptic Links $285M Exploit to North Korea

Blockchain analytics firm Elliptic has identified multiple indicators suggesting the $285 million exploit of Solana-based Drift Protocol is the work of North Korean state-sponsored hackers, known as DPRK. The analysis highlights a pattern of behavior consistent with previous attacks attributed to the group.

Analysis Reveals Familiar DPRK Tactics

Elliptic’s investigation focuses on the operational patterns observed following the exploit, rather than the technical details of the hack itself. The activity appears to be “premeditated and carefully staged,” with test transactions and pre-positioned wallets used before the main event. This mirrors tactics seen in prior DPRK-linked crypto thefts.

Cross-Chain Laundering and Solana Challenges

Once the exploit was executed, funds were rapidly consolidated, swapped, and bridged across multiple blockchains, including Ethereum. This structured laundering flow is designed to obscure the origin of the stolen funds while maintaining control. Elliptic notes that Solana’s fragmented account model presents unique tracing challenges.

Because each asset is held in a separate token account on Solana, activity from a single actor can appear scattered across numerous addresses. Effective investigation requires linking these accounts to identify the complete picture of the attacker’s activity.

Escalating Crypto Theft by DPRK

If confirmed, this incident would be the eighteenth DPRK-linked crypto hack tracked by Elliptic this year, totaling over $300 million stolen. This continues a sustained campaign of large-scale cryptoasset theft, which the U.S. government has linked to funding North Korea’s weapons programs.

DPRK-linked actors are believed to be responsible for billions of dollars in cryptoasset theft in recent years. In 2025 alone, a record $2 billion in crypto was stolen, including a $1.4 billion breach at Bybit, representing a 51% increase from the previous year.

The Need for Advanced Tracing Tools

Elliptic emphasizes the importance of entity-level clustering and holistic cross-chain tracing tools to combat these increasingly sophisticated attacks. The firm’s report highlights how laundering has become inherently cross-chain, requiring capabilities to track funds as they move between different blockchains.

“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft,” Elliptic stated in its report. Drift Protocol’s token has dropped over 40% to roughly $0.06 since the hack.