Drift Protocol outlined a recovery framework for users hit by its $295 million April 1 exploit, which it attributed to a North Korea-backed DPRK hacking group identified by forensic firm Mandiant. The plan centers on issuing a recovery token where each unit represents $1 of verified user loss, redeemable once a dedicated pool accrues enough to cover the full $295.4 million shortfall.
The pool starts at roughly $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in support from Tether tied to performance, and up to $20 million from partners. Drift said about $3.36 million in USDC has already been frozen, while roughly 130,259 ETH (~$31 million) stolen by the attacker remains traceable across four monitored wallets with limited successful off-ramping. A 10% public bounty on recovered assets is also live.
Why it matters
The April 1 incident is the largest DeFi exploit of the year and follows the $280 million Lazarus-group drain of Kelp DAO that Aave is now spearheading a coordinated rescue for. Two near-identical-scale DPRK-linked attacks in a single quarter are forcing DeFi lenders and perps venues to confront the same hard problem: when on-chain insurance is inadequate and the attacker is state-backed, recovery is a fundraising and governance exercise as much as a technical one. Drift's reliance on Tether support and partner contributions signals that protocol treasuries alone cannot cover this category of loss.
Market impact
Drift will relaunch in Q2 as a security-first venue with new multisig controls, time-locked operations, key rotation and a narrower product scope focused on perpetuals — a pattern Aave and other blue-chip DeFi protocols are also pursuing industry-wide. The recovery token structure, if governance approves it, becomes a template for any future large-scale DeFi loss event where partial reimbursement is the realistic ceiling. Watch the Tether performance-linked tranche and the on-chain movement of the monitored attacker wallets: any meaningful off-ramp would suggest the traceable-funds thesis is breaking down before the pool can fully accrue.
Frequently asked questions
-
What is the $295 million Drift Protocol exploit?
Drift Protocol suffered a $295.4 million exploit on April 1, attributed to a North Korea-backed DPRK hacking group identified by forensic firm Mandiant. Roughly 130,259 ETH (~$31M) of the stolen funds remain traceable across four monitored wallets with limited off-ramping.
-
How will Drift Protocol users be made whole?
Drift will issue recovery tokens where each unit represents $1 of verified user loss, redeemable once a dedicated pool matches the full $295.4M shortfall. The pool starts at ~$3.8M and grows through revenue, up to $127.5M from Tether, and up to $20M from partners.
-
When will Drift Protocol relaunch?
Drift plans to relaunch in the second quarter as a security-first exchange, with new multisig controls, time-locked operations, key rotation and a narrower product scope focused on perpetuals trading. Final details are subject to governance votes.
-
How does Drift's recovery compare to Aave's Kelp DAO rescue?
Both incidents are DPRK-linked exploits of comparable scale — Drift's $295M and Kelp DAO's ~$280M. Aave is coordinating donations, deposits and credit lines across the crypto space for Kelp DAO, while Drift relies on a tokenized-claim structure funded by its own treasury, Tether and partners.
-
Has any of the stolen Drift funds been recovered?
Drift said about $3.36 million in USDC has been frozen, additional assets remain delayed in cross-chain transfers, and a 10% public bounty on recovered assets is live. Roughly 130,259 ETH (~$31M) remains traceable across four monitored attacker wallets.
CoinDesk