April 2026: Crypto Hacks Drain Over $600 Million in Just 18 Days
In less than three weeks, the cryptocurrency sector lost more than $606 million in a wave of attacks targeting DeFi protocols and cross-chain bridges. April 2026 is already shaping up as the worst month for crypto security since the Bybit heist in February 2025, which saw $1.4 billion vanish in a single incident. Two attacks stand out for their scale: the $285 million Drift Protocol exploit on April 1, followed by a $292 million breach at Kelp DAO on April 19. Funds were partially routed to centralized exchanges, and North Korean group Lazarus has been identified as responsible for at least one of the two attacks.
Context
The decentralized finance (DeFi) market has grown rapidly over the past two years, with billions of dollars locked in lending protocols, exchanges, and staking platforms across Ethereum, Solana, and other blockchains. This concentrated liquidity represents a prime target for attackers, especially when security mechanisms rely on trust assumptions that do not hold up in practice.
Since the start of 2026, the sector has lost more than $786 million according to data compiled by DefiLlama. April was particularly hard hit: twelve distinct incidents were recorded in eighteen days, according to the platform’s tracking. The distinguishing feature of this wave is the convergence of attack methods, with a marked preference for cross-chain bridges that enable asset transfers between multiple networks.
The Facts
On April 1, 2026, Drift Protocol, the largest decentralized perpetual futures exchange on Solana, confirmed a major attack on its vaults. Attackers drained approximately $285 million in twelve minutes, before transferring the bulk of the funds to Ethereum within hours. The Drift team stated on X (formerly Twitter) that the incident was « not an April Fool’s joke, » using the date to underscore the severity of the situation.
Blockchain security researchers, including on-chain analyst ZachXBT, identified the Lazarus Group as responsible for this attack. The North Korean collective, which had already carried out several massive heists in the sector including the Bybit hack, allegedly spent approximately six months conducting social engineering operations to compromise administrative keys at the protocol, according to multiple specialized sources. The amount diverted represents more than half of the total liquidity available on the protocol at the time of the attack.
Eighteen days later, on April 19, Kelp DAO was hit in turn. The Ethereum restaking protocol lost $292 million in the exploitation of its LayerZero bridge. The attacker withdrew 116,500 rsETH from the bridge contract, representing approximately 18% of the circulating supply of this liquid restaking token. The attack froze rsETH markets across twenty blockchains, and lending protocol Aave was forced to take emergency measures to protect its users against the sudden drop in collateral value.
Analysis
Both attacks illustrate an evolution in the methods of cryptocurrency-targeting hacking groups. For Drift Protocol, attackers relied on oracle manipulation: they created a fictitious token called Carbonvote Token (CVT), seeded it with a few thousand dollars of liquidity on Raydium, and then engaged in wash trading to establish a price history that Drift’s oracles integrated as legitimate value. The protocol then accepted this token as collateral for hundreds of millions of dollars in loans, enabling the attackers to drain the real vaults.
For Kelp DAO, the attack exploited a flaw in the LayerZero bridge’s operation, which routes messages between different blockchains. The attacker was able to spoof bridge messages to release funds without a real deposit. This type of attack, called bridge message spoofing, allows draining the entirety of a wrapped token’s reserves across multiple networks in a single transaction. The technical complexity required to organize this type of exploitation remains high, but the potential returns are proportional.
Restaking protocols like Kelp DAO present a specific systemic risk. When tokens like rsETH are used as collateral across multiple lending platforms (Aave, SparkLend, Fluid, Upshift), a flaw in their reserves can create rapid contagion. If users hold tokens that are no longer fully backed by reserves, lending protocols must process forced liquidations that amplify the price drop.
Market Reactions
Following the attack on Drift Protocol, the DRIFT token fell more than 40% within hours. The protocol’s total value locked (TVL) dropped from approximately $550 million to under $300 million in less than an hour. The impact on the Solana market was limited, but investors began withdrawing funds from DeFi protocols seen as potential targets for similar attacks.
For Kelp DAO, the collapse in rsETH value triggered protective measures on lending platforms. Aave activated mechanisms to prevent positions that were entirely undercollateralized from generating losses for the protocol. The rsETH market was frozen on several networks, leaving holders unable to transfer or sell their tokens. The total value locked in these restaking products was particularly exposed to this type of counterparty risk.
Suspicious transaction volumes increased across several blockchains according to on-chain data. TRM Labs, specializing in blockchain analysis for criminal investigations, noted a rise in transfers linked to established hacker groups. Trading platform TradeOgre was identified as a frequent passage point for diverted funds related to illegal darknet markets, ransomware, and scams.
Perspectives
The sector faces mounting pressure to strengthen security mechanisms for cross-chain bridges and DeFi protocols. Smart contract audits remain insufficient against the growing complexity of multi-chain architectures. Several specialized firms, including Sherlock and Trail of Bits, have multiplied warnings about implicit trust models in bridge protocols.
Proposed technical solutions include adding extra validation layers, imposing delays for large transactions, and implementing time-locks for governance operations. Protocols that have implemented these protections have generally resisted recent attacks better. However, the implementation cost of these measures remains high, and not all projects have the resources to apply them.
For investors, caution is warranted. DeFi protocols presenting suspicious volume levels on their collateral tokens, centralized admin keys, or unaudited bridge integrations should be subject to particular scrutiny. Diversifying positions and avoiding massive exposures to a single protocol remain the most robust strategies against this type of risk.
