North Korean hackers suspected of orchestrating $286 million Drift Protocol breach, according to Elliptic.

The blockchain analytics company highlighted cross-chain laundering trends and specific challenges in tracing on Solana that reflect previous operations linked to the North Korean state.

North Korea, Kim Jong Un (Shutterstock)

Key points:

• The blockchain analytics firm Elliptic indicates that the $285 million breach of the Solana-based Drift Protocol exhibits several characteristics of North Korean state-sponsored DPRK hackers.
• Elliptic’s findings suggest intentional, meticulously arranged on-chain activity and a structured, cross-chain laundering process that resembles previous DPRK-affiliated crypto thefts.
• This situation highlights how Solana’s decentralized account model and the growing use of cross-chain laundering methods complicate investigations, necessitating entity-level clustering and comprehensive tracing tools.

Elliptic stated on Thursday that the $285 million exploit of Drift Protocol, the largest of the year, contains “multiple indicators” suggesting the involvement of North Korea’s state-sponsored DPRK hacking group.

The research organization specifically referenced on-chain activity, laundering techniques, and network-level indicators, all of which correspond to earlier state-linked attacks.

Drift Protocol, which has seen its token decline by over 40% to around $0.06 since the incident, is recognized as the largest decentralized perpetual futures exchange operating on the Solana blockchain.

“If validated, this incident would mark the eighteenth DPRK operation that Elliptic has monitored this year, with over $300 million reported stolen thus far,” the report noted.

“This represents a continuation of the DPRK’s ongoing campaign of large-scale cryptocurrency theft, which the U.S. government has associated with financing its weapons programs. DPRK-related entities are believed to have been responsible for billions in cryptocurrency theft over recent years,” Elliptic explained.

Shortly before, Arkham data indicated that over $250 million had been transferred from Drift to a temporary wallet, followed by various other addresses.

In December, a Chainalysis report disclosed that DPRK hackers had stolen a record $2 billion in cryptocurrency in 2025, including the $1.4 billion Bybit breach, marking a 51% increase compared to the previous year. The U.S. Treasury Department revealed last month that North Korea utilizes the stolen funds to support the country’s weapons of mass destruction initiatives.

Instead of concentrating on the exploit itself, Elliptic’s analysis emphasizes a recognizable operational pattern. The activities appear “premeditated and meticulously organized,” with initial test transactions and pre-arranged wallets occurring before the main event.

The report outlines that once carried out, funds were swiftly consolidated and exchanged, moved across chains, and converted into more liquid assets, indicative of a structured, repeatable laundering process aimed at obscuring the origin while retaining control.

A significant difficulty, as noted by Elliptic, is Solana’s account structure. Since each asset is maintained in an individual token account, activities associated with a single actor can seem dispersed across various addresses. Without establishing these connections, investigators risk only viewing “fragments of the attacker’s actions, not the full context.”

This is where Elliptic’s report emphasizes the clustering methodology, which links token accounts back to a single entity, enabling exposure to be identified regardless of which address is analyzed. In an incident involving over a dozen asset types, this entity-level perspective is crucial.

The case further illustrates, as Elliptic adds in its report, how laundering has inherently become cross-chain. Funds transitioned from Solana to Ethereum and beyond, showcasing the necessity for what Elliptic describes as “comprehensive cross-chain tracing capabilities.”