Loading prices…
🩸BEARISH

Drift Protocol Unveils $295M Recovery Plan After DPRK Exploit

A $3.8M seed pool and tokenized loss claims try to bridge a $295.4M gap — but relaunch as a security-first venue is the bigger industry test after Aave's Kelp DAO rescue.

Drift Protocol outlined a recovery framework for users hit by its $295 million April 1 exploit, which it attributed to a North Korea-backed DPRK hacking group identified by forensic firm Mandiant. The plan centers on issuing a recovery token where each unit represents $1 of verified user loss, redeemable once a dedicated pool accrues enough to cover the full $295.4 million shortfall.

The pool starts at roughly $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in support from Tether tied to performance, and up to $20 million from partners. Drift said about $3.36 million in USDC has already been frozen, while roughly 130,259 ETH (~$31 million) stolen by the attacker remains traceable across four monitored wallets with limited successful off-ramping. A 10% public bounty on recovered assets is also live.

Why it matters

The April 1 incident is the largest DeFi exploit of the year and follows the $280 million Lazarus-group drain of Kelp DAO that Aave is now spearheading a coordinated rescue for. Two near-identical-scale DPRK-linked attacks in a single quarter are forcing DeFi lenders and perps venues to confront the same hard problem: when on-chain insurance is inadequate and the attacker is state-backed, recovery is a fundraising and governance exercise as much as a technical one. Drift's reliance on Tether support and partner contributions signals that protocol treasuries alone cannot cover this category of loss.

Market impact

Drift will relaunch in Q2 as a security-first venue with new multisig controls, time-locked operations, key rotation and a narrower product scope focused on perpetuals — a pattern Aave and other blue-chip DeFi protocols are also pursuing industry-wide. The recovery token structure, if governance approves it, becomes a template for any future large-scale DeFi loss event where partial reimbursement is the realistic ceiling. Watch the Tether performance-linked tranche and the on-chain movement of the monitored attacker wallets: any meaningful off-ramp would suggest the traceable-funds thesis is breaking down before the pool can fully accrue.

Related tokens
$ETH

Frequently asked questions

  1. What is the $295 million Drift Protocol exploit?

    Drift Protocol suffered a $295.4 million exploit on April 1, attributed to a North Korea-backed DPRK hacking group identified by forensic firm Mandiant. Roughly 130,259 ETH (~$31M) of the stolen funds remain traceable across four monitored wallets with limited off-ramping.

  2. How will Drift Protocol users be made whole?

    Drift will issue recovery tokens where each unit represents $1 of verified user loss, redeemable once a dedicated pool matches the full $295.4M shortfall. The pool starts at ~$3.8M and grows through revenue, up to $127.5M from Tether, and up to $20M from partners.

  3. When will Drift Protocol relaunch?

    Drift plans to relaunch in the second quarter as a security-first exchange, with new multisig controls, time-locked operations, key rotation and a narrower product scope focused on perpetuals trading. Final details are subject to governance votes.

  4. How does Drift's recovery compare to Aave's Kelp DAO rescue?

    Both incidents are DPRK-linked exploits of comparable scale — Drift's $295M and Kelp DAO's ~$280M. Aave is coordinating donations, deposits and credit lines across the crypto space for Kelp DAO, while Drift relies on a tokenized-claim structure funded by its own treasury, Tether and partners.

  5. Has any of the stolen Drift funds been recovered?

    Drift said about $3.36 million in USDC has been frozen, additional assets remain delayed in cross-chain transfers, and a 10% public bounty on recovered assets is live. Roughly 130,259 ETH (~$31M) remains traceable across four monitored attacker wallets.

Source attribution
Aggregated from CoinDesk · Verified · Last refreshed 65d ago
Open original →