April 2026 became the worst month for crypto security in 14 months. According to DeFiLlama, hackers drained $629.7 million across more than 25 attacks, the highest figure since February 2025 when losses hit $1.47 billion. The DeFi sector absorbed most of the damage, with two exploits alone driving 82% of the monthly total.
What is behind the $630M figure?
KelpDAO and Drift Protocol drove the record. KelpDAO lost $293 million in a restaking protocol attack, while Drift Protocol shed $280 million. Together they totaled $573 million, or 82% of all April losses. The remaining 20-plus incidents combined for less than a fifth of the overall figure.
Alongside the large exploits came a wave of smaller but notable attacks. Derivatives platform Wasabi Protocol lost $5.5 million across four networks: Ethereum, Base, Blast, and Berachain. Move-to-earn project Sweat Economy lost $3.46 million in under 30 seconds, roughly 65% of its entire liquidity pool. Stolen funds were later frozen on MEXC and recovery efforts began. Sui-based Aftermath Finance lost $1.1 million in USDC across 11 transactions in 36 minutes.
How did attacker tactics shift?
Yaniv Nissenboim, head of security solutions at Chainalysis, said April's incidents share a common trait: well-resourced attackers have learned to target the seams between on-chain protocols and the off-chain systems they depend on.
He identified four main attack vectors seen this month:
- RPC nodes (remote procedure call) as bridges between the blockchain and external systems, the points where a protocol interacts with the outside world
- Cloud key management systems where protocols store signing secrets
- Long-running social engineering campaigns that can unfold over months before activation
- Cross-chain operations that appear fully legitimate right up to the moment funds are moved
In the KelpDAO case, real-time anomaly detection stopped a second theft of around $95 million. Nissenboim noted that on-chain transactions in these attacks often look normal even after the infrastructure has already been compromised. Automated safeguards are stopping attacks mid-stream more often now, not just after the fact.
Why does DeFi keep drawing attackers?
Cyvers co-founder Meir Dolev described April as a month of "precision strikes": attackers deliberately pick the protocols with the deepest liquidity. Smaller targets simply are not worth their time.
The reason comes down to DeFi's own architecture. High-liquidity protocols depend on bridges and oracles that link multiple blockchains at once. Each connection is a potential entry point. The more chains involved, the wider the attack surface.
Hacken called April the worst month for DeFi in five years. The complexity of cross-chain architectures, combined with growing use of social engineering in bridge attacks, explains why high-liquidity protocols are consistently the first target.
Who is behind the attacks?
Hacken pointed directly to DPRK-linked actors as the perpetrators behind the Kelp and Drift exploits. This aligns with what is known about the Lazarus and Bluenoroff groups: these structures have been attacking crypto projects for years and have become one of the market's structural risks.
TRM Labs published a separate report: DPRK-linked hackers have accumulated $6 billion from crypto theft over their years of activity (going back to around 2017), with 76% of 2026 spoils tied to these groups. The scale shows these are not lone criminals but state-sponsored operations with the resources and patience for long-running campaigns.
What comes next for DeFi?
Standard Chartered analysts, led by Geoffrey Kendrick, are not writing DeFi off. The bank's research note says the KelpDAO exploit and its impact on AAVE is a challenge, not a verdict. A "maturing DeFi industry" will address vulnerabilities at a systemic level, the analysts said, and they expect sector growth to continue.
April's record calls into question not DeFi's resilience as a whole, but specific approaches to infrastructure security. Protocols that invest in real-time off-chain monitoring have a real shot at stopping the next attack before funds leave. The KelpDAO case, where a second $95 million withdrawal was blocked in real time, shows these tools already work.
Comments
Your email address will not be published. Required fields are marked *