Crypto forensics firm Elliptic says a state-linked North Korean hacker group is the likely culprit behind the massive exploit that drained roughly $285 million from Drift Protocol — a breach that could be the largest crypto heist so far this year.
What happened
- The attacker(s) emptied Drift, the largest decentralized perpetual futures exchange on Solana, in a heist Elliptic pegs at about $285 million (some outlets report $286 million). Drift’s token plunged more than 40% after the incident, trading near $0.06.
- Arkham blockchain analytics earlier tracked over $250 million leaving Drift into an interim wallet and then dispersing to other addresses.
Why Elliptic points to North Korea
- Elliptic says the exploit carries “multiple indicators” consistent with DPRK-linked operations: on-chain behavior, laundering methods, and network-level signals that mirror previous state-associated attacks.
- If attribution holds, Elliptic notes this would be the eighteenth DPRK-linked incident the firm has tracked this year, with more than $300 million stolen in those cases. U.S. agencies have tied similar thefts to funding for North Korea’s weapons programs.
The operational pattern
Elliptic’s report doesn’t dwell on the exploit mechanics so much as the attacker’s playbook — a familiar, highly organized pattern:
- The operation looks premeditated, with small test transactions and pre-positioned wallets used before the main theft.
- Once funds were moved, they were rapidly consolidated, swapped for other tokens, bridged across chains, and converted into more liquid assets — a repeatable laundering flow designed to obscure provenance while keeping the attackers in control.
- The activity demonstrates increasingly sophisticated, cross-chain laundering techniques rather than a single-chain cash-out.
Solana’s account model complicates tracing
- Elliptic highlights a technical challenge: Solana’s token-account model spreads each asset into separate token accounts. That fragmentation can make a single attacker’s activity appear as many unrelated addresses unless investigators cluster those accounts back to one entity.
- The firm argues that entity-level clustering — linking token accounts to the same actor — is critical, especially in incidents involving a dozen-plus asset types, to reveal the full scope of theft and movement.
Broader context and implications
- Chainalysis reported last December that DPRK actors stole a record $2 billion in crypto in 2025 (including a $1.4 billion breach at Bybit), a 51% increase year-over-year. The U.S. Treasury has warned that proceeds help finance North Korea’s weapons of mass destruction programs.
- Elliptic’s analysis reinforces the need for “holistic cross-chain tracing capabilities” as attackers increasingly span multiple blockchains and convert assets quickly to evade detection.
What to watch next
Attribution remains conditional: Elliptic describes the DPRK link as likely based on patterns and indicators rather than definitive proof. Investigations by on-chain analytics firms and law enforcement will continue to follow fund flows and attempt to recover assets. For the wider crypto ecosystem, the incident is another stark reminder of how state-linked actors and sophisticated laundering techniques pose systemic risks — and why stronger cross-chain monitoring and cooperation between analytics firms and regulators will be essential.
Read more AI-generated news on: undefined/news
