Crypto security research company Elliptic announced that traces of North Korea-related cyber teams were found behind the $285 million loss in Drift Protocol, one of the biggest cyber attacks of the year. Drift Protocol is known as a decentralized futures platform that operates on the Solana blockchain and stands out with its transaction volume. After the attack, the platform’s native token lost significant value and dropped to approximately $0.06.
Doubts raised in comprehensive analysis
In the report prepared by Elliptic, it was stated that the movements on the blockchain, the laundering methods used and some technical signals on the network coincide with previous state-sponsored attacks. The company cited examples of North Korean State-Sponsored (DPRK) cyber groups acting with similar methods.
In the research, it was noted that the assets were first directed to different wallets and then distributed to many addresses in a short time. The test transactions made just before the attack and the discovery of wallets specially prepared for the attack showed that the incident was planned in an organized manner.
According to the report, if the North Korean connection is confirmed, the eighteenth North Korean attack that Elliptic is monitoring as of 2024 will be recorded. The company states that assets exceeding $300 million were seized this year using similar methods.
Money laundering techniques and cross-chain movements
Another detail highlighted in the report was that the laundered funds were consolidated and transferred to various blockchains in a very short time. Assets that were originally on the Solana network were converted to different types of assets on Ethereum and other blockchains and became difficult to trace. This revealed that attackers dominated cross-chain mobility.
According to Elliptic, the Solana network uses a different account system for each asset type, making it more complex to track attackers’ movements. Since movements associated with a person can appear scattered at different addresses, it becomes difficult for researchers to see the whole picture.
On the other hand, the company states that with the “account clustering” approach, they can track fund flows more completely by connecting relevant token accounts with each other. This method played an important role in determining that dozens of different asset types were controlled by the same actor in the incident.
The Elliptic report included the assessment that “North Korea-related actors have seized large amounts of digital assets in recent years and these assets are used to finance the country’s nuclear program.”
Related to the subject, another analysis published in December 2024 reported that North Korean-backed attacks have accelerated in recent years and that the digital assets seized last year alone reached 2 billion dollars. In its latest statement, the US Treasury Department announced that the revenues were financed in the weapons of mass destruction program.
