Drift Protocol Unveils Roadmap to Recover from $295 Million North Korea-Linked Hack

Following the $295.7 million hack on April 1, 2026, Drift Protocol has finalized a multi-stage recovery plan to compensate affected users. Based on a $148 million rescue fund led by Tether, the Solana-based exchange is seeking a fundamental change by compensating user losses through tokenized claims while simultaneously transitioning its settlement architecture from the existing USDC to USDT.

The attack on April 1 caused a major shock to the market, instantly draining over 50% of Drift Protocol's Total Value Locked (TVL) at the time. Immediately after the attack, the value of the governance token DRIFT plummeted by more than 40% in a single day, followed by a chain of chaos as several related protocols within the Solana ecosystem suspended operations or began assessing the extent of their damage.

This recovery plan is more than just a replenishment of funds; it is a strategic turning point to fundamentally redesign the protocol's security system and restore user trust.

Analysis by security experts revealed that the incident was not a simple smart contract vulnerability exploit, but a highly sophisticated social engineering attack backed by North Korea. Major blockchain analysis firms such as Elliptic and Chainalysis reported that the on-chain fund flows and laundering techniques match the patterns of previous North Korea-linked hacking groups.

The Reality of the 'Contagious Interview' Operation Linked to North Korea's Reconnaissance General Bureau

Attackers approached Drift's core developers through the 'Contagious Interview' campaign, attempting a long-term infiltration over six months. They distributed project files containing malicious code by posing as fake job interviewers, and investigations found that they installed a backdoor that could seize administrator privileges the moment a developer executed them.

• Attackers weaponized the 'tasks.json' file in the IDE (Integrated Development Environment) to automatically execute malicious scripts upon opening the project folder.
• Security team SEAL 911 assessed that the attack was likely the work of UNC4736 (also known as AppleJeus), a North Korea-linked group that carried out the Radiant Capital hack in October 2024.
• The stolen funds were laundered through highly automated mixing services and transferred to various addresses on the Solana network.

In the crisis, Tether stepped in as Drift's savior by injecting $127.5 million, with other strategic partners providing an additional $20 million, creating a total bailout fund of $148 million. This capital will be used as the foundation for the platform's relaunch and as a core resource for user compensation. Consequently, Drift has decided to switch its settlement layer from Circle's USDC to Tether's USDT.

This strategic shift follows Circle's refusal to freeze the stolen USDC at the time of the hack, whereas Tether immediately expressed its intent to support and intervened actively. Drift stated that while it is considering legal action, it plans to strengthen stability by reorganizing the platform into a USDT-based perpetual futures exchange through close cooperation with Tether.

Recovery Roadmap Announced on May 5: Tokenized Claims and Revenue Sharing

On May 5, 2026, Drift unveiled a specific compensation mechanism for affected users. The core is tokenized claims issued at a 1:1 ratio for lost assets, which will allow users to be reimbursed with a portion of future protocol revenue or trade them on the market.

The protocol plans to prioritize a certain percentage of future operating profits into a Recovery Pool for distribution to claim holders. Additionally, it has opened the possibility for further asset recovery by launching a large-scale bounty program in collaboration with Arkham and Bybit to track and recover the stolen funds.

To strengthen security, Drift decided to completely overhaul its multi-sig wallet system and introduce a continuous auditing system with external security firms. In particular, it is establishing a process to fundamentally block the risk of supply chain attacks that can occur when loading external libraries or project files by significantly strengthening security protocols in the development environment.

This incident served as a wake-up call for security awareness across the Solana DeFi ecosystem, leaving the restoration of institutional investor trust as a future challenge. Drift Protocol expressed its commitment to becoming an exchange with a more robust infrastructure through this recovery plan and plans to officially launch new USDT-based services soon.