Drift Protocol announced Tuesday that it is implementing a recovery plan for users affected by a $295 million exploit on April 1, which it attributed to the North Korean state-backed hacking group identified by forensics firm Mandiant.
The attack led the protocol to suspend trading and borrowing immediately following the exploit. Drift said “the majority of stolen assets remain traceable and contained with successful ramp exit limited by the attacker,” with approximately 130,259 ETH (approximately $31 million) concentrated in four monitored wallets.
Drift’s statement explains that the recovery framework is centered around issuing a token representing users’ verified losses. “Each recovery token represents $1 of verified loss,” Drift said, adding that holders could redeem based on the value of a funded recovery pool over time.
This pool starts with approximately $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in performance-related support from Tether, and up to $20 million from partners, Drift said. The pool will accumulate until it equals total losses of approximately $295.4 million, at which point tokens can be traded at their full value, he added.
Drift also said that some funds had already been frozen, including approximately $3.36 million in USDC, while additional assets remained delayed in cross-chain transfers. Legal efforts to seize and reissue the funds are ongoing, he said. The protocol also launched a public bounty offering 10% of recovered assets.
Drift plans to relaunch in the second quarter as a “security-focused” exchange with changes including new multisig controls, time-locked operations, key rotation and a reduced product line focused on perpetual trading.
“The Drift team takes thoughtful steps to ensure user integrity,” the team said, adding that final decisions will be subject to governance votes.
The announcement of Drift’s recovery plan comes a week after Aave said it was leading a coordinated DeFi recovery effort to rescue Kelp DAO, the second-largest DeFi exploit this year, which was also carried out by North Korea-backed hackers. The so-called Lazarus group drained nearly 280 million dollars. In this case, Aave was able to raise donations, deposits, and lines of credit from across the crypto space.
