Drift Protocol Gets $150M From Tether to Reimburse Users After $285M Hack

Two weeks after losing $285 million to a North Korean state-affiliated hacking group, Drift Protocol has a path back.
Tether — the world’s largest stablecoin issuer — has confirmed it is leading a recovery plan of up to $150 million alongside the Solana Foundation to reimburse affected users and relaunch the protocol.
“When the industry faces challenges, Tether steps up,” the company wrote on X.
The deal comes with a structural shift that matters beyond the dollar amount. Drift will relaunch as a USDT-based perpetuals DEX on Solana — replacing Circle’s USDC as its settlement layer entirely. For Tether, the move is simultaneously a rescue operation and a strategic expansion of USDT’s footprint across DeFi infrastructure on the world’s fastest blockchain.
How North Korea Stole $285 Million Over Six Months
The April 1st hack was not a sudden exploit. It was the conclusion of a six-month operation that combined patience, social engineering, and technical precision in a way that had never been seen at this scale.
The attackers — assessed with medium-high confidence by investigators as a North Korean state-affiliated group linked to the October 2024 Radiant Capital hack — spent months posing as employees of a “quantitative trading fund.” They attended conferences, communicated with the Drift team over Telegram, and invested $1 million of their own money into the protocol to establish credibility. When the relationship felt like a working partnership, they sent a repository containing a file that exploited a vulnerability in Visual Studio Code and Cursor. Opening the file was enough.
The breach did not originate from a flaw in Drift’s smart contracts or leaked private keys. The attackers gained control at the governance layer. After securing unauthorized access, they executed a rapid administrative transfer — taking over protocol-level permissions, introducing a malicious asset, disabling existing withdrawal safeguards, and opening the door to unrestricted fund extraction. The structure of the attack showed clear premeditation, including the use of durable nonce accounts to pre-sign transactions with delayed execution — infrastructure prepared in advance to execute multiple steps in quick succession once access was obtained.
After automatically deleting their communications and erasing traces of the attack, approximately $285 million disappeared from the protocol. The main weapon was not a code exploit. It was six months of patience and social engineering.
The Laundering Route: From Solana to Ethereum
Once the vault was drained, the attacker moved quickly to disperse and obscure the funds. Large portions of assets were swapped into USDC, then bridged from Solana to Ethereum via Circle’s Cross-Chain Transfer Protocol. ETH was acquired through aggregators including 1inch, and thousands of ETH accumulated across Ethereum wallets within hours.
At peak activity, trackers observed flows equivalent to over $40 million moving through Ethereum during the laundering phase. Despite the scale and visibility of the transfers, a significant portion of the funds successfully exited the Solana ecosystem before any intervention could take place. The speed of the post-exploit dispersal was itself part of the premeditation — the infrastructure to move and obscure funds was ready before the attack began.
Drift’s Recovery Plan and the Road Back
In the days following the hack, Drift acknowledged the severity of the situation and the impact on users and builders who rely on the protocol as core infrastructure. The team confirmed it was working with security firms Asymmetric Research and OShield to consolidate a coordinated recovery plan, and announced participation in the STRIDE program by the Solana Foundation as part of strengthening its long-term security posture.
“Our immediate focus is to stabilize the situation and provide protocol-level assurance to all affected users and partners,” the team wrote on X on April 9th. “We’re aligning closely with leading ecosystem security teams to ensure a structured and thoughtful path forward.”
The $150 million funding package from Tether and partners represents the concrete outcome of that coordination. For users who lost funds in the exploit, it is the difference between a total loss and at least a partial recovery — though the gap between $147.5 million recovered and $285 million lost means not all funds will be made whole.
What the Tether Deal Means for DeFi
The broader significance of Tether stepping in as the primary recovery funder extends beyond this single incident. When the world’s largest stablecoin issuer commits over $50 million to rebuild a hacked DeFi protocol — and in doing so replaces a competitor’s stablecoin as the settlement layer — it signals that Tether is actively positioning itself as infrastructure-level support for the DeFi ecosystem, not just a passive dollar-denominated asset.
For the Solana DeFi ecosystem specifically, the Drift recovery is a test of resilience. The protocol was one of the most active perpetuals venues on the network. Its relaunch as a USDT-based DEX, backed by Tether’s capital and credibility, gives it a path back to relevance — but rebuilding user trust after a $285 million governance-layer hack will take more than a funding package. It will take a security architecture that makes a repeat of April 1st structurally impossible.
The details of that architecture, and the timeline for relaunch, have not yet been confirmed by the Drift team.