Login
Sign Up
Drift Protocol announced on Tuesday the activation of a comprehensive recovery framework following a $295 million exploit executed on April 1, an incident attributed to the state-backed DPRK hacking group identified by forensic firm Mandiant. The severity of the attack necessitated an immediate suspension of all trading and borrowing functions across the platform. Drift confirmed that the majority of stolen assets remain traceable and contained, with limited successful off-ramping by the attacker, noting that approximately 130,259 ETH, valued at roughly $31 million, is currently concentrated across four monitored wallets. Data compiled by Woofun AI indicates that this concentration of assets provides a critical window for potential asset recovery efforts before funds are fully dispersed or laundered through complex chains.
The core of the recovery mechanism involves the issuance of a specific token representing verified user losses, where each recovery token corresponds to $1 of confirmed loss. Holders of these tokens will be eligible for redemption based on the accumulated value of a dedicated recovery pool, which is designed to grow over time. The initial capitalization of this pool stands at approximately $3.8 million, derived from remaining protocol assets. Drift projects that this fund will expand through exchange revenue, up to $127.5 million in performance-tied support from Tether, and an additional $20 million from various partners. The pool will continue to accrue value until it matches the total verified losses of about $295.4 million, at which point tokens can be redeemed at full face value.
Concurrently with the financial restructuring, Drift reported that legal efforts to seize and reissue funds are actively underway. Some assets have already been successfully frozen, including approximately $3.36 million in USDC, while additional assets remain delayed in cross-chain transfers, complicating immediate retrieval. To incentivize external assistance in asset recovery, the protocol launched a public bounty offering 10% of any recovered assets to successful claimants. Woofun AI notes that this multi-pronged approach combines legal pressure, technical freezing, and financial incentives to maximize the return rate for affected users in a high-stakes environment.
Looking toward operational continuity, Drift plans to relaunch in the second quarter as a security-first exchange. This strategic pivot includes significant architectural changes such as new multisig controls, time-locked operations, rigorous key rotation protocols, and a reduced product scope focused exclusively on perpetuals trading. The Drift team emphasized that they are taking considered measures to ensure users are made whole, though final decisions regarding the execution of these plans remain subject to governance votes. Woofun AI analysis suggests that this shift toward a narrower, more secure product suite reflects a broader industry trend of prioritizing resilience over feature breadth following major security breaches.
The announcement of Drift's recovery plan arrives just one week after Aave spearheaded a coordinated DeFi recovery effort to rescue Kelp DAO, the second-largest DeFi exploit of the year, which was also carried out by North Korean-backed hackers. In that separate incident, the so-called Lazarus group drained nearly $280 million. Unlike the isolated nature of some previous breaches, Aave successfully garnered span donations, deposits, and credit lines from across the crypto space to facilitate restitution. This emerging pattern of coordinated community response highlights a maturing ecosystem capable of mobilizing significant capital to address systemic threats posed by state-sponsored actors.