Drift Protocol announced on Tuesday that it would implement a recovery plan for users affected by a $295 million breach on April 1, attributed to the North Korean state-backed DPRK hacking group identified by forensics firm Mandiant.
The attack caused the protocol to suspend trading and lending immediately after the exploit. Drift said that “most of the stolen assets remain traceable, and attackers have had limited successful outflows,” with approximately 130,259 ETH (approximately $31 million) concentrated in four monitored wallets.
Drift’s statement explains that the core of the recovery framework is the issuance of tokens that represent verified user losses. “Each recovery token represents $1 of verified loss,” Drift said, adding that holders will be able to redeem based on the value of the recovery pool funded over time.
Drift said the pool will initially consist of approximately $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in performance-related support from Tether, and up to $20 million in support from partners. It added that the pool will continue to accumulate until it matches the total losses of approximately $295.4 million, at which time the tokens can be redeemed in full.
Drift also said that some funds have been frozen, including approximately $3.36 million in USDC, while cross-chain transfers of other assets are still delayed. Legal efforts to seize and reissue the funds are ongoing, the statement said. The protocol also launched a public bounty offering 10% of recovered assets.
Drift plans to relaunch in Q2 as a “security first” exchange, with changes including new multi-signature controls, time-locked operations, key rotation, and a narrowed product range focused on perpetual contracts.
“The Drift team is taking thoughtful steps to ensure the health of its users,” the team said, adding that the final decision will depend on a governance vote.
Drift announced its recovery plan a week after Aave said it was taking the lead in coordinating DeFi recovery efforts to rescue Kelp DAO, the second largest DeFi vulnerability of the year, which was also carried out by North Korea-backed hackers. The so-called Lazarus Group siphoned off nearly $280 million. In this case, Aave has access to a wide range of donations, deposits and lines of credit from the cryptocurrency space.