Tether is putting up $127.5 million to help Drift Protocol users recover funds stolen in last month’s $280 million exploit—a move that also secures a major win for USDT on Solana at Circle’s expense.

The stablecoin giant announced Thursday it will lead a $150 million recovery program for the Solana-based DEX, with undisclosed partners contributing the remaining $22.5 million. But here’s the catch: the recovery isn’t an upfront bailout.

“Rather than relying on upfront capital alone, the structure links funding and recovery to ongoing trading activity on the Drift platform, allowing user balances to be restored as the exchange returns to normal operations,” Tether stated in its announcement.

Translation: users get paid back as Drift generates revenue, with Tether essentially backstopping the process.

Circle’s Fumble Becomes Tether’s Opportunity

The deal comes with a significant strategic component. Drift will transition its settlement asset from Circle’s USDC to Tether’s USDT when the platform relaunches—a direct consequence of Circle’s controversial response to the April 1 attack.

Onchain investigator ZachXBT documented how the exploiter moved over $232 million in USDC from Solana to Ethereum using Circle’s own Cross-Chain Transfer Protocol. The transfers occurred across more than 100 transactions over six consecutive hours. Circle never froze the funds.

“Despite the attacker laundering funds over six consecutive hours across Circle’s own native bridge, no USDC was frozen,” ZachXBT noted. “The attacker has been linked to North Korea by Elliptic.”

The backlash hammered Circle’s stock, which dropped roughly 10% on April 9 before recovering. The NYSE-traded shares have since climbed about 20% from those lows.

Inside the Six-Month Social Engineering Attack

The Drift exploit wasn’t a smart contract bug—it was far more sophisticated. According to investigations published in early April, North Korean state-affiliated hackers spent six months conducting social engineering operations targeting Drift’s governance layer.

The attackers, linked to the group tracked as UNC4736 (also known as AppleJeus), manipulated Security Council members into signing transactions that unknowingly transferred administrative control. They exploited Solana’s “durable nonces” feature, which allows pre-signed transactions to be executed later.

Once they had admin access, the hackers whitelisted a worthless fake token as collateral, deposited it, and drained real assets including USDC, SOL, and ETH. The stolen funds were swapped to stablecoins, bridged to Ethereum, and converted to ETH.

What This Means for DeFi Recovery Playbooks

Tether’s involvement signals a shift in how major crypto exploits get resolved. Rather than leaving protocols and their users to absorb losses entirely, industry heavyweights are stepping in—though not without extracting strategic value.

For Drift users, the revenue-linked recovery structure means patience will be required. Full restitution depends on how quickly trading volume returns to the platform post-relaunch.

For the broader Solana DeFi ecosystem, the episode raises uncomfortable questions about governance security that won’t be answered by Tether’s checkbook alone.

Image source: Shutterstock