Quick Summary — Article 2
- Crypto protocols lost over $606 million to hacks across 12 incidents in just 18 days of April 2026
- Two attacks account for 95% of April’s losses: $285M Drift Protocol and $292M KelpDAO — both linked to North Korea’s Lazarus Group
- April’s losses are already 3.7 times larger than the entire first quarter of 2026 combined
- DeFi attack frequency has risen 68% year-over-year — 47 incidents in 2026 vs 28 in the same period of 2025
- Hackers are now targeting private keys and signing infrastructure rather than smart contract bugs
Table of Contents
The numbers are stark. In just 18 days of April 2026, cryptocurrency protocols lost more than $606 million to hackers and exploits — making it the worst month for crypto theft since the $1.4 billion Bybit breach that defined February 2025. What makes April’s losses particularly alarming is not just their scale, but their concentration: two attacks alone — both linked to North Korea’s Lazarus Group — account for 95% of the month’s total.
According to data tracked by DefiLlama and analysed by BeInCrypto, April’s $606 million across 12 separate incidents has already eclipsed the entire first quarter of 2026, which saw combined losses of $165.5 million. That makes April roughly 3.7 times as destructive as January, February and March combined — in less than three weeks.
April 2026 Crypto Hack Tracker
| Metric | Figure |
|---|---|
| Total lost (first 18 days) | $606+ million |
| Number of incidents | 12 |
| Drift Protocol exploit | $285 million |
| KelpDAO breach | $292 million |
| Q1 2026 total losses | $165.5 million |
| 2026 YTD total | $771.8 million |
| Attack frequency (2026 vs 2025) | +68% YoY |
The Two Attacks Behind 95% of the Damage
The Drift Protocol exploit, which occurred on April 1 and was later attributed to North Korea’s Lazarus Group, resulted in losses of $285 million. Drift Protocol is a decentralised exchange and derivatives platform built on Solana. The attack was sophisticated in its execution, targeting the protocol’s infrastructure rather than exploiting a simple smart contract vulnerability.
The KelpDAO breach followed on April 18, resulting in losses of $292 million — the larger of the two. KelpDAO is a liquid restaking protocol built on Ethereum, and the attack sent shockwaves far beyond the protocol itself. According to data from DefiLlama, the exploit triggered over $10 billion in Aave outflows and affected more than 20 connected protocols — a vivid illustration of how interconnected DeFi infrastructure has become, and how a single breach can cascade across an entire ecosystem.
North Korea’s Lazarus Group: The Persistent Threat
Both the Drift and KelpDAO attacks have been attributed to the Lazarus Group — North Korea’s state-sponsored hacking unit, which has become the single most prolific and destructive actor in crypto security incidents. Lazarus is believed to have stolen billions of dollars in cryptocurrency over the past several years, with the proceeds used to fund North Korea’s weapons programmes according to multiple international intelligence assessments.
The group’s ability to execute attacks of this scale against sophisticated DeFi protocols reflects a significant evolution in their capabilities. Early Lazarus attacks tended to target centralised exchanges through phishing and social engineering. The pivot toward DeFi protocol attacks — which require a deep understanding of complex smart contract architecture — signals a substantial upgrade in technical sophistication.
Attack Frequency Is Rising Faster Than Dollar Losses
Dollar losses are one measure of the problem. Attack frequency is arguably a more alarming indicator. DeFi recorded 47 separate incidents in the first four and a half months of 2026, compared with 28 over the same period in 2025 — a 68% year-over-year increase. At the current pace of approximately one attack every 2.9 days, the industry is on track for over 120 DeFi security incidents in 2026 alone.
Security researchers point to two structural factors driving this acceleration. First, DeFi’s total value locked has exceeded $120 billion, creating an increasingly attractive target. Second, the proliferation of cross-chain bridge infrastructure has dramatically expanded the attack surface — bridges are notoriously difficult to secure because they require coordination across multiple blockchain environments with different security models.
How Hackers Have Changed Their Tactics
The industry’s security posture has improved considerably against smart contract vulnerabilities since 2021. Formal verification, professional auditing, and bug bounty programmes have made straightforward code exploits harder to execute. In response, attackers have pivoted to a different category of target: private keys, signing infrastructure, and human-layer social engineering.
This shift is significant because it means that even perfectly audited smart contract code provides no protection if the private keys controlling privileged functions are compromised. A protocol can pass every security audit and still be devastated by a compromised developer wallet or a manipulated multi-signature process.
How the Industry Is Responding
The industry’s response to April’s losses has been multi-layered. At the protocol level, emergency rate limits and frozen bridge flows have become standard crisis responses. Jefferies analysts have warned that the string of high-profile hacks could temporarily slow Wall Street’s appetite for DeFi tokenisation projects — a meaningful concern given how much institutional interest has been building in this space.
At the governance level, Aave, Ether.fi, KelpDAO, LayerZero, and Compound have jointly submitted a proposal to the Arbitrum DAO requesting the release of ETH frozen by the Arbitrum Security Council following the April 18 rsETH incident — an attempt to coordinate a recovery that distributes losses more equitably across the affected ecosystem.
Frequently Asked Questions
How much has been stolen in crypto hacks in April 2026?
Over $606 million was stolen from crypto protocols across 12 separate incidents in just the first 18 days of April 2026, according to data from DefiLlama. Two attacks — the $285 million Drift Protocol exploit and the $292 million KelpDAO breach — account for approximately 95% of the month’s total.
Who is responsible for the biggest crypto hacks of April 2026?
Both the Drift Protocol and KelpDAO attacks have been attributed to North Korea’s Lazarus Group — a state-sponsored hacking unit believed to fund North Korea’s weapons programmes through cryptocurrency theft. The group has been responsible for billions in crypto losses over the past several years.
Is DeFi becoming more dangerous to use?
Attack frequency has risen 68% year-over-year in 2026, with approximately one DeFi incident occurring every 2.9 days. However, the nature of attacks has shifted from smart contract exploits — which auditing can mitigate — toward private key compromise and social engineering, which are harder to defend against through code audits alone.
How does the KelpDAO hack compare to previous crypto breaches?
The $292 million KelpDAO breach is significant not just for its size but for its cascading effect — triggering over $10 billion in Aave outflows and affecting more than 20 connected protocols. This interconnected fallout illustrates the systemic risk that large DeFi exploits now pose across the entire ecosystem.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.