DPRK Hackers Suspected in $285M Drift Protocol Exploit
Elliptic reports that the $285 million exploit on Solana-based Drift Protocol shows signs of North Korean state-sponsored hacking. The token dropped 40%, with funds laundered across chains. The incident fits a pattern of premeditated, cross-chain laundering typical of DPRK operations.
Quick Take
$285M stolen from Drift Protocol, token drops 40%.
Elliptic links laundering to North Korean DPRK hackers.
Funds moved cross-chain via Solana to Ethereum and beyond.
If confirmed, 18th DPRK hack this year, over $300M stolen.
Market Impact Analysis
BearishLarge exploit and token crash on a major Solana protocol, plus links to state-sponsored hacking, may cause fear and selling, bearish for Solana ecosystem.
Speculation Analysis
The research firm pointed specifically to onchain behavior, laundering methodologies and network-level signals, all of which align with previous state-linked attacks.
Drift Protocol, whose token has dropped over 40% to roughly $0.06 since the hack, is the largest decentralized perpetual futures exchange on the Solana blockchain.
“If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far,” the report said.
“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the U.S. government has linked to the funding of its weapons programs. DPRK-linked actors are believed to be responsible for billions of dollars in cryptoasset theft in recent years,” Elliptic added.
Hours earlier, Arkham data showed that over $250 million had been moved from Drift to an interim wallet, then to various other addresses.
In December, a Chainalysis report revealed DPRK hackers stole a record $2 billion of crypto in 2025, including the $1.4 billion Bybit breach, representing a 51% increase from the previous year. The U.S. Treasury Department last month said North Korea uses the stolen assets to fund the country’s weapons of mass destruction program.
Rather than focusing on the exploit itself, Elliptic’s analysis highlights a familiar operational pattern. The activity appears “premeditated and carefully staged,” with early test transactions and pre-positioned wallets preceding the main event.
The report explains that once executed, funds were rapidly consolidated and swapped, bridged across chains, and converted into more liquid assets, reflecting a structured, repeatable laundering flow designed to obscure origin while maintaining control.
A central challenge, Elliptic notes, is Solana’s account model. Because each asset is held in a separate token account, activity tied to a single actor can appear fragmented across multiple addresses. Without linking these, investigators risk seeing “fragments of the attacker’s activity, not the complete picture.”
This is where Elliptic’s report highlights the clustering approach, which connects token accounts back to a single entity, allowing exposure to be identified regardless of which address is screened. In an incident involving more than a dozen asset types, that entity-level view becomes critical.
The case also emphasizes, Elliptic adds in its report, how laundering has become inherently cross-chain. Funds moved from Solana to Ethereum and beyond, demonstrating the need for what Elliptic described as “holistic cross-chain tracing capabilities.”
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
