North Koreans hackers likely behind $286 million Drift Protocol exploit: Elliptic
The blockchain analytics firm pointed to cross-chain laundering patterns and Solana-specific tracing challenges that mirror prior North Korean state-linked operations
What to know:
- Blockchain analytics firm Elliptic says the $285 million exploit of Solana-based Drift Protocol shows multiple hallmarks of North Korean state-sponsored DPRK hackers.
- Elliptic’s analysis points to premeditated, carefully staged on-chain behavior and a structured, cross-chain laundering flow that mirrors past DPRK-linked crypto thefts.
- The case underscores how Solana’s fragmented account model and increasingly cross-chain laundering tactics complicate investigations, making entity-level clustering and holistic tracing tools essential.
Drift Protocol, whose token has dropped over 40% to roughly $0.06 since the hack, is the largest decentralized perpetual futures exchange on the Solana blockchain.
“If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far,” the report said.
“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the U.S. government has linked to the funding of its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in cryptoasset theft in recent years,” Elliptic added.
Hours earlier, Arkham data showed that over $250 million had been moved from Drift to an interim wallet, then to various other addresses.
In December, a Chainalysis report revealed DPRK hackers stole a record $2 billion of crypto in 2025, including the $1.4 billion Bybit breach, representing a 51% increase from the previous year. The U.S. Treasury Department last month said North Korea uses the stolen assets to fund the country’s weapons of mass destruction program.
