Drift Protocol announced Tuesday the implementation of a recovery plan for users affected by a $295 million exploit on April 1, which it attributed to the North Korea state-backed DPRK hacking group identified by forensic firm Mandiant.

The attack led the protocol to suspend trading and borrowing immediately after the exploit. Drift said “the majority of stolen assets remain traceable and contained with limited successful off-ramping by the attacker,” with about 130,259 ETH (roughly $31 million) concentrated across four monitored wallets.

Drift’s statement explains that the recovery framework centers on issuing a token representing verified user losses. “Each recovery token represents $1 of verified loss,” Drift said, adding that holders would be able to redeem based on the value of a recovery pool funded over time.

That pool starts with roughly $3.8 million in remaining protocol assets and is expected to grow through exchange revenue, up to $127.5 million in support from Tether tied to performance, and up to $20 million from partners, Drift said. The pool will accrue until it matches total losses of about $295.4 million, at which point tokens can be redeemed at full value, it added.

Drift also said some funds have already been frozen, including about $3.36 million in USDC, while additional assets remain delayed in cross-chain transfers. Legal efforts to seize and reissue funds are ongoing, it said. The protocol also launched a public bounty offering 10% of recovered assets.

Drift plans to relaunch in the second quarter as a “security-first” exchange with changes including new multisig controls, time-locked operations, key rotation and reduced product scope focused on perpetuals trading.

“The Drift team is taking considered measures to ensure that users are made whole,” the team said, adding that final decisions will be subject to governance votes.

Drift’s recovery plan announcement comes a week after Aave said it was spearheading a coordinated DeFi recovery effort to rescue Kelp DAO, the second largest DeFi exploit this year, which was also carried out by North Korean-backed hackers. The so-called Lazarus group drained nearly $280 million. In this case, Aave has been able to garner span donations, deposits, and credit lines from across the crypto space.