Blockchain analytics firm Elliptic has flagged the $285 million Drift Protocol exploit as bearing multiple hallmarks of North Korea’s state-sponsored DPRK hacker group, according to a Thursday report. The incident represents the largest crypto hack of the year and signals an escalating campaign of large-scale digital asset theft linked to weapons program funding.
Elliptic’s analysis points to premeditated onchain behavior, structured cross-chain laundering flows, and network-level signals that align with previous state-linked attacks. The firm said the exploit demonstrates a carefully orchestrated operation with early test transactions and pre-positioned wallets preceding the main event.
If confirmed, this incident would represent the eighteenth DPRK-linked operation Elliptic has tracked this year, with over $300 million stolen to date. The U.S. government has previously linked North Korean crypto theft campaigns to funding the country’s weapons programs.
Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, saw its token price plummet more than 40% to roughly $0.06 following the hack. Hours before Elliptic’s announcement, Arkham data showed over $250 million had been moved from Drift to an interim wallet, then dispersed to various other addresses.
The timing of the alleged North Korean operation comes amid a broader surge in DPRK-linked cryptocurrency theft. In December, blockchain analytics firm Chainalysis revealed that North Korean hackers stole a record $2 billion in crypto during 2025, including the $1.4 billion Bybit breach—representing a 51% increase from the previous year.
According to Elliptic’s report, the attacker executed a structured laundering flow designed to obscure the origin of stolen funds while maintaining operational control. Once the main exploit occurred, funds were rapidly consolidated, swapped across tokens, bridged between blockchains, and converted into more liquid assets.
A central challenge highlighted by Elliptic is the nature of Solana’s account model. Because each asset is held in a separate token account, activity tied to a single actor can appear fragmented across multiple addresses. Without proper entity-level linking, investigators risk seeing only fragments of the attacker’s activity rather than the complete picture.
Elliptic emphasized that entity-level clustering—a technique that connects token accounts back to a single entity—becomes critical in incidents involving multiple asset types. This approach allows exposure to be identified regardless of which specific address is screened, providing investigators with a holistic view of the attack.
The Drift Protocol hack also underscores an evolving challenge in cryptocurrency security: increasingly sophisticated cross-chain laundering tactics. The stolen funds moved from Solana to Ethereum and beyond, demonstrating the need for holistic cross-chain tracing capabilities to track illicit flows across multiple blockchains.
The U.S. Treasury Department last month confirmed that North Korea uses stolen cryptocurrency assets to fund its weapons of mass destruction programs, reinforcing the national security implications of these attacks. The statement followed the December Chainalysis report detailing record theft levels in 2025.
Elliptic’s findings suggest that DPRK-linked actors are employing increasingly sophisticated operational security measures, including premeditated staging and cross-chain evasion tactics. The pattern reflects what the firm describes as a sustained campaign of large-scale cryptocurrency theft by North Korean state-sponsored actors.
The Drift Protocol exploit represents a continued escalation in the scale and sophistication of state-sponsored cryptocurrency attacks. As hacking groups develop more advanced laundering methodologies and exploit blockchain fragmentation challenges, security firms and exchanges face mounting pressure to implement more robust entity-level tracking and cross-chain monitoring capabilities.
More Reads:
Coinbase CLO Says Clarity Act Stablecoin Yield Deal ‘Very Close’ as Senate Pushes for April Vote
Former FTX Engineer Nishad Singh Fined $3.7M, Banned From Trading for Five Years
If you’re reading this, you’re already ahead. Stay there, by joining the…
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
