In April 2026, crypto market suffered 27 attacks totaling $627 million stolen. Two incidents account for the bulk of the damage: Drift Protocol on Solana and KelpDAO on Ethereum. In both cases, it was not a code vulnerability that caused the collapse, but methodical infiltration operations carried out over several months.
To summarize
• 27 hacks in April 2026 for $627 million stolen, the worst month since February 2025.
• Drift Protocol and KelpDAO alone account for 95% of the month’s losses.
• People are wondering if it will be the same in May.
The darkest month in over a year
The numbers speak for themselves.
April 2026 closes with $627 million stolen across 27 separate DeFi incidents, according to DefiLlama data. That makes it the worst monthly total since the Bybit hack in February 2025, which cost the industry $1.4 billion.
To grasp the scale of the shock, the comparison with Q1 says it all. The first three months of 2026 had accumulated $165.5 million in losses. April alone represents 3.7 times that total, in just 18 days of active attacks.
The annual trend is equally alarming. Over the first four months of 2026, DeFi recorded 47 incidents compared to 28 over the same period in 2025, a roughly 68% increase year-over-year. The annual total has already reached $771.8 million, and the year is far from over.
Drift and KelpDAO : two attacks, one method
Two attacks concentrate 95% of April’s losses. And they share one defining characteristic: neither exploited a bug in the code.
On April 1, Drift Protocol, the largest perpetual futures platform on Solana, lost $285 million. The attacker did not force the doors open. They got in through trust.
For months, a group disguised itself as a legitimate quantitative trading firm to infiltrate the team’s inner circle. By manipulating security council signatures during a contract migration that had temporarily removed protection delays, the protocol was drained in under 20 minutes.
On April 18, it was KelpDAO’s turn. Attackers exploited the LayerZero V2 bridge of the rsETH protocol, configured as a single point of failure. 116,500 rsETH tokens were stolen, worth approximately $292 million, the largest hack of 2026 so far.
But the attack did not stop there. The stolen funds were immediately reused as collateral on Aave to borrow massive amounts of Wrapped Ether, amplifying the damage well beyond the initial protocol.
Both attacks have been linked to the Lazarus Group, the North Korea-affiliated hacking collective already responsible for some of the largest thefts in crypto history.
Also worth checking on Cryptonomic:
- Why Is Vitalik Buterin Selling All His Ethereum?
- Be careful if you hold the ONDO cryptocurrency
- Did the US government lose $40 million in Bitcoin?!
Damage that goes far beyond the numbers
The KelpDAO hack triggered an immediate chain reaction across Aave.
The TVL of the largest DeFi lending protocol collapsed from $26.4 billion to approximately $17.9 billion within a matter of days. The AAVE token dropped 16%, falling to $92. The protocol is left holding hundreds of millions of dollars in bad debt, and questions remain open about the reserve fund’s ability to absorb the full losses.
Other incidents added to the month’s toll. CoW Swap suffered a DNS hijacking, redirecting users to fraudulent interfaces. The BNB Smart Chain lost $1.67 million through flash loans. Step Finance lost $27.3 million via private key compromise. And Litecoin suffered a 13-block reorganization attack on April 25, exploiting its MWEB privacy layer.
What emerges from this wave of incidents is a structural shift in how attackers operate. Smart contract bugs are no longer the primary entry point. Hackers are now targeting critical infrastructure: cross-chain bridges, private keys, and the humans who manage the protocols. A shift that makes defense far more complex, because it cannot be solved with code alone.
Follow the story on Cryptonomic.
Pingback: Strategy Pauses Bitcoin Buys Ahead of Q1 Earnings - Cryptonomic