Drift Protocol announced Tuesday the implementation of a recovery plan for users affected by a $295 million exploit on April 1, which it attributed to the North Korean state-backed DPRK hacking group identified by forensics firm Mandiant.
The attack led the protocol to suspend operations and lending immediately after the exploit. Drift said that “the majority of the stolen assets remain traceable and contained with limited success by the attacker,” with around 130,259 ETH (approximately $31 million) concentrated in four monitored wallets.
Drift’s statement explains that the recovery framework focuses on the issuance of a token that represents users’ verified losses. “Each recovery token represents $1 of verified loss,” Drift said, adding that holders could redeem them based on the value of a funded recovery fund over time.
That fund starts with about $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in performance-linked Tether support and up to $20 million from partners, Drift said. The fund will accumulate to equal the total losses of approximately $295.4 million, at which point the tokens can be redeemed for their full value, he added.
Drift also said that some funds have already been frozen, including around $3.36 million in USDC, while additional assets remain delayed in cross-chain transfers. Legal efforts are underway to seize and reissue funds, he said. The protocol also launched a public reward offering 10% of recovered assets.
Drift plans to relaunch in the second quarter as a “security-first” exchange with changes including new multi-signature controls, time-limited trading, key rotation, and reduced product scope focused on perpetual trading.
“The Drift team is taking thoughtful steps to ensure completeness for users,” the team said, adding that final decisions will be subject to governance votes.
The announcement of Drift’s recovery plan comes a week after Aave said it was leading a coordinated DeFi recovery effort to rescue Kelp DAO, the second largest DeFi exploit this year, which was also carried out by North Korean-backed hackers. The so-called Lazarus group spent almost $280 million. In this case, Aave has been able to obtain donations, deposits, and lines of credit from across the crypto space.
