What Points to North Korean Involvement?
Blockchain analytics firm Elliptic said the $285 million exploit of Solana-based Drift Protocol shows multiple indicators associated with North Korea’s state-sponsored hacking groups. The firm’s assessment is based on onchain behavior, laundering patterns, and network-level signals that align with previous incidents attributed to DPRK-linked actors.
The attack is the largest crypto exploit recorded this year. Drift Protocol, a decentralized perpetual futures exchange on Solana, has seen its token fall more than 40% following the incident, reflecting both immediate market impact and concerns over platform security.
“If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far,” the report said.
Elliptic added that the activity fits into a broader pattern of state-linked operations tied to crypto theft. “It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the U.S. government has linked to the funding of its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in cryptoasset theft in recent years,” the firm said.
How Were the Funds Moved and Laundered?
Data from Arkham shows that more than $250 million was transferred from Drift Protocol to an interim wallet before being distributed across multiple addresses. Elliptic’s analysis suggests the operation followed a structured laundering process designed to obscure the origin of funds while maintaining control.
The activity appears premeditated, with early test transactions and pre-positioned wallets observed prior to the exploit. Once executed, funds were rapidly consolidated, swapped into different assets, and bridged across multiple blockchains.
This sequence mirrors established laundering workflows seen in previous high-profile attacks, where speed, fragmentation, and cross-chain movement are used to complicate tracking efforts.
Investor Takeaway
Why Does Solana’s Account Model Complicate Investigations?
Elliptic points to Solana’s account structure as a key factor in the difficulty of tracing activity. Unlike account-based models where assets are consolidated under a single address, Solana stores each asset in separate token accounts, creating a fragmented view of activity.
This fragmentation means that a single actor’s transactions can appear across multiple addresses, making it harder to identify coordinated behavior without advanced clustering techniques. Elliptic noted that without linking these accounts, investigators may only see isolated fragments rather than a complete operational picture.
The firm emphasized the importance of entity-level clustering, which connects related token accounts to a single actor. This approach allows exposure to be tracked across multiple assets and addresses, particularly in complex incidents involving numerous tokens.
Investor Takeaway
What Does This Say About Cross-Chain Risk?
The exploit also highlights the increasing role of cross-chain activity in laundering operations. Funds were moved from Solana to Ethereum and other networks, reinforcing the need for tracing tools that operate across multiple blockchains rather than within isolated ecosystems.
Elliptic described this requirement as the need for “holistic cross-chain tracing capabilities,” reflecting how attackers now rely on interoperability to distribute and obscure funds.
Separate research from Chainalysis showed that DPRK-linked actors stole $2 billion in crypto in 2025, including a $1.4 billion breach tied to Bybit. The U.S. Treasury Department has stated that such activity is linked to funding North Korea’s weapons programs.
