Elliptic links massive Drift Protocol heist to North Korean state hackers, warns on cross-chain laundering
Blockchain analytics firm Elliptic says the roughly $285 million exploit of Drift Protocol — the largest crypto hack so far this year — bears “multiple indicators” of involvement by DPRK state-sponsored hackers. The firm points to on-chain behavior, laundering techniques and network-level signals that align with previous attacks attributed to North Korea.
Drift, the biggest decentralized perpetual futures exchange on Solana, has seen its token crash more than 40% to about $0.06 since the breach. Arkham Intelligence earlier showed over $250 million moved from Drift into an interim wallet and then dispersed across multiple addresses within hours of the theft.
According to Elliptic, if DPRK involvement is confirmed, this would be the 18th state-linked incident the firm has tracked this year, bringing the total stolen in those incidents to over $300 million. Elliptic frames the hack as a continuation of a sustained DPRK campaign of large-scale crypto theft — activity U.S. authorities say is used to help finance Pyongyang’s weapons programs. (A December Chainalysis report put DPRK-linked crypto theft at a record $2 billion in 2025, including the $1.4 billion Bybit breach.)
Rather than focusing solely on the exploit itself, Elliptic’s report highlights a recurrent, organized operational pattern. The attack appears “premeditated and carefully staged,” with early test transactions and pre-positioned wallets prior to the main transfer. Once executed, stolen funds were quickly consolidated, swapped for other tokens, bridged across chains and converted into more liquid assets — a structured laundering flow designed to obscure origins while keeping the assets under the attackers’ control.
Elliptic also calls out a specific investigative challenge posed by Solana’s account model: every asset lives in a separate token account, which can make a single actor’s activity seem fragmented across many addresses. Without clustering those token accounts back to an entity, investigators may only see scattered “fragments of the attacker’s activity, not the complete picture.” Elliptic argues that entity-level clustering is essential when an incident involves a dozen-plus asset types.
The case underscores how crypto laundering has become inherently cross-chain. Funds flowed from Solana to Ethereum and beyond, reinforcing Elliptic’s call for “holistic cross-chain tracing capabilities” to keep pace with increasingly sophisticated laundering playbooks.
What this means for the market: large, state-linked thefts continue to roil token prices and spotlight gaps in cross-chain tracing and custodial controls on fast blockchains like Solana. For exchanges and DeFi platforms, the Drift incident is a renewed reminder to harden contracts, improve monitoring, and collaborate with analytics firms to catch complex, multi-chain laundering earlier.
Read more AI-generated news on: undefined/news
