Elliptic Links $285M Drift Protocol Hack to North Korean Hackers

Blockchain analytics firm Elliptic has flagged the $285 million Drift Protocol exploit — the largest crypto hack of the year — as bearing strong hallmarks of North Korea's state-sponsored Lazarus Group. The firm cited onchain behavior, laundering patterns, and network-level signals consistent with previous DPRK-linked attacks.

Drift Protocol, the leading decentralized perpetual futures exchange on Solana, saw its token plummet more than 40% to around $0.06 following the breach. Onchain data from Arkham confirmed that over $250 million was funneled from Drift into an interim wallet before being dispersed across multiple addresses.

Elliptic's report warns that if attribution is confirmed, this would mark the eighteenth DPRK-linked crypto theft tracked this year, with cumulative losses surpassing $300 million. The firm tied these attacks to North Korea's broader weapons financing strategy — a conclusion the U.S. Treasury Department echoed last month, stating that stolen crypto assets directly fund Pyongyang's weapons of mass destruction program.

The attack followed a calculated, multi-stage playbook. Investigators noted early test transactions and pre-positioned wallets, suggesting meticulous planning before execution. Once funds were accessed, they were quickly consolidated, swapped, bridged across multiple blockchains, and converted into highly liquid assets — a structured laundering flow engineered to obscure origins while preserving control.

One key technical hurdle is Solana's account model, where each asset occupies a separate token account. This fragmentation can make a single attacker's activity appear spread across dozens of unrelated addresses. Elliptic's clustering methodology counters this by linking token accounts to a single entity, enabling investigators to map the full scope of exposure rather than isolated fragments.

The incident also underscores the growing complexity of cross-chain laundering, with funds moving from Solana to Ethereum and beyond — reinforcing the urgent need for comprehensive, multi-chain tracing capabilities in crypto investigations.

This follows a Chainalysis report revealing that DPRK hackers stole a record $2 billion in crypto throughout 2025, a 51% year-over-year surge that included the $1.4 billion Bybit breach.