Blockchain analytics firm Elliptic said the $285 million exploit of Drift Protocol shows multiple indicators of involvement by North Korean state-linked hackers.
The attack, the largest crypto exploit this year, triggered a sharp drop in Drift’s token, which has fallen more than 40% to around $0.06 since the incident.
“If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far,”
The firm said.
Elliptic identified patterns of premeditated onchain behaviour, including test transactions and pre-positioned wallets, followed by rapid consolidation and laundering of funds.
The stolen assets were quickly moved across chains, swapped into more liquid tokens, and distributed through multiple addresses in a structured effort to obscure their origin.
The report highlights Solana’s fragmented account model as a key challenge, as activity tied to a single actor can appear split across multiple token accounts without advanced clustering tools.
Elliptic said entity-level clustering and cross-chain tracing are essential to track such activity, especially as laundering increasingly spans networks like Ethereum.
The incident adds to a broader trend, with DPRK-linked actors reportedly responsible for billions in crypto theft, often linked by US authorities to funding weapons programmes.
At the time of reporting, Solana price was $79.35.