Drift Protocol on Tuesday announced the implementation of a recovery plan for users affected by a $295 million exploit on April 1 that it attributed to the North Korean state-backed DPRK hacking group identified by forensics firm Mandiant.
The attack caused the protocol to suspend trading and lending immediately after the exploit. Drift said “the majority of stolen assets remain traceable and contained with limited successful off-ramping by the attacker,” with about 130,259 ETH (roughly $31 million) concentrated in four monitored wallets.
Operation’s statement explains that the recovery framework is centered on issuing a token that represents verified user losses. “Each recovery token represents $1 of verified loss,” Drift said, adding that holders would be able to redeem based on the value of a recovery pool funded over time.
That pool starts with about $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in support from Tether tied to performance and up to $20 million from partners, Drift said. The pool will accumulate until it matches total losses of about $295.4 million, after which tokens can be redeemed at full value, it added.
Drift also said some funds have already been frozen, including about $3.36 million in USDC, while additional assets remain delayed in cross-chain transfers. Legal efforts to seize and reissue funds are underway, it said. The protocol also launched a public bounty offering 10% of recovered assets.
Drift plans to relaunch in the second quarter as a “safety-first” exchange with changes including new multisig controls, time-locked operations, key rotation and reduced product scope with a focus on perpetual trading.
“The Drift team is taking deliberate measures to ensure users are made whole,” the team said, adding that final decisions will be subject to management votes.
Drift’s recovery plan announcement comes a week after Aave said it was spearheading a coordinated DeFi recovery effort to save Kelp DAO, the second-largest DeFi exploit this year, which was also carried out by North Korean-backed hackers. The so-called Lazarus group drained almost 280 million dollars. In this case, Aave has been able to obtain a wide range of donations, deposits and lines of credit from across the crypto space.
