The numbers stopped being abstract somewhere around the $500 million mark. By the time the tally crossed $606 million on April 18, crypto’s security problem had graduated from embarrassment to full-blown industry crisis.
Data from DefiLlama shows that 12 separate exploits drained more than $606 million from DeFi protocols in the first 18 days of April 2026, according to analysis by BeInCrypto published through Yahoo Finance. That figure makes April the worst single month for crypto theft since the $1.4 billion Bybit breach in February 2025.
Two Attacks, Nearly All the Damage
Two exploits accounted for roughly 95 percent of April’s losses.
The $285 million Drift Protocol attack struck on April 1, targeting the Solana-based perpetual futures exchange. Blockchain security firm Halborn later attributed the exploit to North Korea’s Lazarus Group, which used a compromised developer endpoint to inject malicious code into a routine protocol upgrade.
Seventeen days later, the $292 million KelpDAO breach hit the Ethereum restaking protocol. LayerZero’s cross-chain messaging infrastructure linked the exploit to Lazarus as well, marking the second time in a single month that the North Korean hacking syndicate had pulled off a nine-figure theft.
The KelpDAO exploit triggered cascading damage. Aave recorded over $10 billion in outflows as users rushed to withdraw collateral. The rsETH liquid restaking token briefly depegged, and more than 20 protocols with exposure to KelpDAO collateral experienced forced liquidations or paused operations. Aave eventually raised $160 million through the DeFi United Fund to cover the bad debt.
Attack Frequency Is Climbing Fast
The raw dollar figures mask an equally troubling trend in frequency. DeFi protocols have suffered 47 separate incidents in the first four and a half months of 2026, compared with 28 over the same period in 2025 – a 68 percent year-over-year increase.
April’s total of $606 million arrived in under three weeks, dwarfing the entire first quarter’s combined losses of $165.5 million. For context, April’s haul is 3.7 times larger than everything stolen between January and March combined.
The attack methods have also diversified. Alongside traditional smart contract exploits, April saw infrastructure attacks targeting developer tools, AI-driven social engineering campaigns against wallet users, and bridge-level exploits that affected multiple chains simultaneously. The Balancer exploiter made headlines again after converting 21,000 ETH into BTC, demonstrating how stolen funds are rapidly laundered across chains.
The “Security Tax” Hits DeFi Valuations
Markets have started pricing in what several analysts are calling a security risk premium on DeFi assets. Protocols with higher TVL but lower audit coverage are trading at steeper discounts than at any point since the Terra collapse.
Cumulative hack losses across the crypto industry have now crossed $17 billion over the past decade, according to crypto.news tracking data. The shift in attacker behavior is clear: rather than hunting for code bugs, sophisticated groups like Lazarus are targeting private keys, signing infrastructure, and human error.
Jefferies warned in a note to clients that the string of marquee hacks could temporarily slow Wall Street’s appetite for DeFi tokenization projects. Several institutional players have responded by setting up emergency rate limits and freezing bridge flows as a precaution.
What Comes Next
With ten days still remaining in April at the time of the latest tally, analysts warned that even one more mid-size exploit could push the month toward $700 million. Year-to-date losses have already reached approximately $772 million across 47 incidents.
The industry response is fragmented. Some protocols are doubling down on real-time monitoring and formal verification. Others are exploring insurance pools modeled on traditional finance. But no consensus has emerged on how to address the root cause: DeFi’s enormous attack surface continues growing faster than its security infrastructure can keep up.
FAQ
Who is behind most of the April 2026 crypto hacks?
North Korea’s Lazarus Group has been linked to the two largest exploits – the $285 million Drift Protocol attack and the $292 million KelpDAO breach – which together account for roughly 95 percent of April’s losses.
How does April 2026 compare to previous hack months?
It’s the worst month since the $1.4 billion Bybit breach in February 2025. April’s $606 million in 18 days is 3.7 times larger than the entire first quarter of 2026 combined.
Is DeFi safe to use right now?
The risk level depends on the protocol. Users should check whether their protocol has undergone recent audits, whether it has exposure to recently exploited collateral types, and whether it maintains a bug bounty program. Diversifying across protocols and chains remains the basic risk management approach.
