In one of the largest cyberattacks of the year, blockchain security firm Elliptic has identified indications that North Korea-affiliated cyber groups orchestrated the $285 million hack of Drift Protocol, a leading decentralized futures platform on the Solana blockchain. The breach caused the platform’s native token to plummet, dropping to around $0.06 in value, and rattled investors and the broader decentralized finance community.
Comprehensive analysis heightens suspicion
According to a new report from Elliptic, several key blockchain patterns, money-laundering techniques, and technical signals used in the Drift Protocol incident closely mirrored methods seen in previous state-sponsored cyberattacks. The company noted that North Korea’s government-backed hacking collectives have a track record of deploying these complex tactics across multiple incidents in recent years.
Investigators detailed how, after the initial theft, assets were rapidly funneled through a web of separate wallets and then scattered across numerous addresses within a short timeframe. The appearance of test transactions and the deliberate creation of bespoke wallets prior to the attack point to a high degree of coordinated planning behind the breach.
The ongoing investigation suggests that if North Korean involvement is officially confirmed, it would mark the eighteenth major cyberattack attributed to North Korean actors tracked by Elliptic this year. The firm estimates that over $300 million worth of digital assets have been stolen through similar methods since the start of 2024.
Money laundering tactics and cross-chain transfers
Elliptic’s research also highlights how stolen funds were quickly consolidated and then moved across multiple blockchains, making the money trail increasingly difficult to follow. Initially originating on Solana, the assets were swiftly swapped for different types of tokens on Ethereum and other networks, complicating tracking efforts and showcasing the attackers’ sophisticated grasp of cross-chain maneuvering.
The firm notes that Solana’s unique system—assigning separate accounts to each asset type—creates additional opacity. Transaction activities related to a single perpetrator may appear scattered across various addresses, approaching the problem much like finding pieces of a puzzle across different locations, and making it more challenging for analysts to connect the full picture.
In response, Elliptic describes utilizing an “account clustering” methodology to group related token accounts and better visualize the flow of illicit funds. This approach proved instrumental in uncovering that dozens of distinct asset types were ultimately controlled by the same group of attackers.
Elliptic’s report observed that “North Korea-linked actors have seized large quantities of digital assets in recent years, which international investigators increasingly believe are funneled into the country’s nuclear weapons program.”
The growing threat was echoed in an additional study released in December 2024, which found that North Korea-backed hacking campaigns have accelerated, with last year’s haul of stolen digital assets alone nearing $2 billion. The U.S. Department of the Treasury has also stated that much of this cybercrime revenue appears to finance North Korea’s weapons of mass destruction programs.
