April 2026: Crypto's Most-Hacked Month on Record With $635M in Losses

April 2026 ended as the most-hacked month in the history of decentralized finance. DefiLlama confirmed between 28 and 30 separate exploits, with total losses exceeding $625 million — a figure other trackers put as high as $635.24 million, the highest monthly total since the Bybit exchange breach in February 2025. The month averaged close to one attack per day, a pace that far outstripped any previously recorded period.

Two Attacks, One Month, Catastrophic Scale

The month's damage was driven primarily by two large incidents. On April 1, Drift Protocol on Solana lost approximately $285 million in a social-engineering attack linked in reporting to North Korea's Lazarus Group. Around April 18, KelpDAO experienced a message-spoofing exploit targeting a LayerZero cross-chain bridge, with estimated losses near $293 million. Together, these two events accounted for the vast majority of April's total losses.

The Drift Protocol hack involved three weeks of pre-attack staging and months of social engineering to compromise protocol signers, executing the full drain in approximately 12 minutes. The KelpDAO hack exploited a single-verifier design flaw in a LayerZero bridge, with proceeds later laundered through THORChain after $75 million was frozen on Arbitrum.

Smaller Incidents Across the Ecosystem

Beyond the two headline exploits, the remaining attacks reinforced how broad the attack surface had become across DeFi:

• Rhea Finance lost $18.4 million, Grinex $15 million, Wasabi Protocol approximately $5 million, and Volo Vault and Sweat Foundation $3.5 million each.
• Most smaller incidents ranged from $50,000 to $3–5 million, hitting lending protocols, decentralized exchanges, and infrastructure solutions.
• Despite code bugs being the root cause of the majority of hacks, they accounted for only around $42 million — approximately 6.6% — of April's total losses.

North Korea's Outsized Role

North Korean hackers, operating across two distinct groups, stole approximately $577 million in 2026 year-to-date — 76% of all crypto hack losses through April, across just a handful of attributed incidents. Both the Drift and KelpDAO attacks have been linked to the TraderTraitor cluster, a subgroup of the Lazarus Group. The breaches were not caused by code bugs or aggressive cyberintrusions, but resulted from months-long operations combining social engineering with otherwise legitimate access to the protocols.

DeFi Market Reaction

The KelpDAO exploit prompted rapid withdrawals across decentralized finance, with more than $14 billion in total value locked leaving DeFi protocols within days, concentrated in bridges and lending platforms as users reduced exposure to cross-chain risk. Aave alone dropped from $26.4 billion to near $17.9 billion in TVL following the exploit.

Context and Outlook

For comparison, the entire first quarter of 2026 saw $165.5 million in losses — April's total arrived in a single month, making it 3.7 times larger than Q1 combined. DeFi's cumulative hack losses have now crossed $17 billion over the past decade, with attackers increasingly pivoting away from smart contract bugs toward private keys, signing infrastructure, and human-layer social engineering. Security researchers have flagged cross-chain bridge architecture and social engineering as the dominant vectors requiring urgent attention heading into Q2 2026.

Published by Coinplurk.com