OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Apr 30, 2026· 5 min read

$629M Drained in April, the Worst Crypto-Theft Month Since 2024

On Wednesday, April 30, DefiLlama published the final April tally: $629.69 million stolen across 12+ documented incidents, the worst single month for crypto theft since the $1.4 billion Bybit breach in February 2025 and the most incidents in a single month in industry history. CertiK's parallel tracker puts the figure at $650.9 million, calling it the worst month since March 2022. DeFi protocols accounted for $614.17 million of total losses. Two attacks alone, Drift Protocol on April 1 and Kelp DAO on April 18, account for approximately 95% of the month's losses, both attributed to North Korea's Lazarus Group. The pattern is not a wave of many small attacks. It is a few surgical operations against high-value targets. April closes with the structural shift the security community has been warning about for years finally measurable: the primary attack vector is no longer smart contract code. It is trust-chain compromise and cross-chain verification failure.

Key takeaways

  1. DefiLlama's final April 2026 tally posted Wednesday on X: $629.69 million stolen across 12+ documented incidents, with $614.17 million coming from DeFi protocol hacks and only $3.13 million from bridge-specific exploits. The remaining losses came from signing infrastructure compromises and operational failures. April 2026 is the most-hacked month in crypto history by number of incidents and the worst by total losses since February 2025's $1.47 billion Bybit breach
  2. CertiK's parallel security tracker puts the April figure at $650.9 million, the worst month since March 2022's $715 million. The discrepancy between the two sources reflects different inclusion criteria for scams, phishing, and operational failures. Both sources agree the month was a structural inflection rather than a normal variance
  3. Two attacks account for roughly 95% of April's losses and both have been attributed to North Korea's Lazarus Group. Drift Protocol on April 1 ($285 million, drained from a Solana perpetuals exchange via months of in-person social engineering and Solana durable-nonce abuse). Kelp DAO on April 18 ($292 million, drained via a single-verifier design flaw in the LayerZero-based bridge after attackers compromised internal RPC nodes and forced failover under DDoS pressure). The remaining 5% spread across smaller exploits including Wasabi Protocol ($5.5M drained April 28-29 across Ethereum, Base, Blast, and Berachain), Silo Finance ($392K oracle misconfiguration), Dango ($410K smart contract bug), and several smaller incidents
  4. The institutional response has begun. Aave launched a 'DeFi United' initiative raising over $200 million to backstop affected assets after carrying $246 million in bad debt from the Kelp DAO exploit. Jefferies issued a research note warning the hack streak could slow Wall Street's appetite for DeFi tokenization projects. Cumulative crypto hack losses now exceed $17 billion over the past decade per DefiLlama, with North Korea-linked actors responsible for approximately 64% of 2025 totals and 76% of 2026 year-to-date losses
  5. The pattern of April's exploits is 'few attacks, huge losses,' not a wave of many small incidents. The two large breaches account for roughly 95% of the month. Removing them leaves about $50 million across 10+ smaller exploits, which is a quiet month by 2025-2026 standards. The defensive implication is structural: the high-value target surface is now a small number of high-trust, high-privilege systems, and a sufficiently patient state actor will exhaust the defender's verification budget against any one of them

What Happened

DefiLlama posted the final April 2026 tally on Wednesday, April 30: 'April ends as the most-hacked month in crypto history, by number of incidents.' The total reached $629.69 million across more than 12 documented exploits, the highest monthly total since February 2025's $1.47 billion Bybit breach more than 14 months ago. Of that total, $614.17 million came from DeFi protocol hacks specifically. CertiK's parallel security tracker put the number slightly higher at $650.9 million when scams and phishing campaigns are included alongside direct exploits, calling it the worst month since March 2022.

April's $629 million is approximately 3.7 times larger than the entire first quarter combined. Q1 2026 saw $165.5 million across 47 incidents in three months. April produced more than that in 18 days. The acceleration is real, the concentration is real, and the attribution is increasingly consistent: the same nation-state actor across the largest exploits of the month, with TRM Labs and Chainalysis converging on a 76% share of 2026 year-to-date losses attributed to North Korea-linked operations.

Two Attacks, 95% of the Damage, Two Different Failure Modes

Drift Protocol on April 1: $285 million drained from a Solana-based perpetuals exchange after attackers spent months posing as a legitimate trading firm. The campaign began in fall 2025 with in-person meetings between North Korean proxies and Drift employees at industry events. Once relationships were established, the attackers used Solana durable nonces, a feature that allows transactions to be signed in advance and broadcast later, to convert routine pre-signed approvals from Security Council members into delayed exploits. Once admin control was transferred, the attackers whitelisted a fake token called CVT as accepted collateral, deposited the fake collateral, and used it to withdraw real assets from vaults. The full drain executed in approximately 12 minutes. This is a trust-chain compromise: the attack succeeded at the human and governance layer, with the technical layer used to convert that compromise into a fast extraction.

Kelp DAO on April 18: $292 million drained when attackers exploited a single-verifier design flaw in Kelp's LayerZero-based bridge. The mechanism was specific. Attackers compromised internal RPC nodes Kelp's bridge relied on, then applied DDoS pressure to force failover to the compromised nodes. Once the bridge was reading from attacker-controlled infrastructure, false cross-chain messages were accepted as legitimate, releasing 116,500 rsETH to attacker wallets. Aave was left holding $246 million in bad debt. The cascading withdrawals took $8 billion off Aave's TVL within 24 hours and led to emergency freezes at SparkLend, Fluid, Lido's earnETH product, and Ethena's LayerZero OFT bridges. Arbitrum's Security Council seized $71 million of the attacker funds. The unfrozen funds moved through THORChain, a route that matches prior North Korean cash-out behavior. This is a cross-chain verification failure: the bridge architecture trusted a small number of verifier nodes, and the architecture was the vulnerability, not any single line of code.

These two attacks together drove the April total. Removing them leaves about $50 million across 10+ smaller exploits, which is closer to a quiet month by 2025-2026 standards. The structural read is that April was not a sudden environmental shift but the year a persistent, well-resourced, state-backed adversary delivered two surgical operations against high-value DeFi targets in the same month, exploiting two different categories of failure: trust-chain compromise at Drift, cross-chain verification failure at Kelp.

What April Means About 2026

Three structural patterns are now confirmed by the April data. First, smart contract code is no longer the primary target. Of the $614.17 million in DeFi losses, almost none came from the kind of code-level smart contract bug that dominated 2020-2023. The losses came from bridge architecture trust assumptions, privileged access compromise via social engineering, signing infrastructure exploitation through durable-nonce abuse, and cross-chain verification design flaws. The protocols upgraded their code. The attackers moved up the stack to humans and across the stack to topology.

Second, the bridge problem the industry has known about since 2021 has not been fixed. Cross-chain bridges have lost over $2.8 billion since 2021, roughly 40% of every dollar stolen in DeFi history. Kelp DAO's exploit operated on the same fundamental pattern as the Ronin Bridge hack four years earlier: the bridge held the collateral backing wrapped tokens on other chains, the bridge's verifier or messaging layer got tricked, the funds drained, the wrapped tokens on every downstream chain became uncollateralized. The mechanism is well-understood. The economic incentive to consolidate liquidity through bridges has overridden the security argument for years and continues to. Verifier centralization is the specific weakness that needs to be addressed, and Kelp showed that even bridges with documented multi-verifier designs can be reduced to single-verifier operation under sufficient adversarial pressure.

Third, North Korea's crypto theft operation is no longer episodic. It is a sustained, state-funded revenue operation running multi-month campaigns with intelligence-service-level operational sophistication. The attribution share has risen from under 10% in 2020-2021 to 22% in 2022, 37% in 2023, 39% in 2024, 64% in 2025, and 76% in 2026 year-to-date. That trajectory is its own story: a maturing state capability focused on a small number of high-payoff operations rather than broad opportunistic crime. The defensive question for the industry is no longer 'how do we patch this hole?' It is 'how do we operate against an adversary that will spend six months and significant payroll to find the next hole?'

What This Means for You

If you self-custody Bitcoin and do not interact with DeFi, April's losses do not change your operational risk directly. None of the $629 million was drained from people holding native BTC in their own keys with their own hardware. The damage was concentrated in pooled liquidity, wrapped assets, bridge reserves, and the signing infrastructure of protocol teams. Self-custody of native BTC remained outside the attack surface for the entire month. That is not luck. It is the structural property the rest of this site exists to defend.

If you hold tokenized assets, wrapped BTC, or any DeFi position, April is the data point that should reset your operational assumptions. Wrapped tokens on a layer-2 are exposed to bridge solvency and verifier topology. Yield-bearing positions are exposed to protocol custody and admin keys. ETF shares are exposed to the custodian's signing infrastructure. Each of those layers added attack surface in April that did not exist 12 months ago, because the attackers moved up the stack to where the high-value pooled liquidity sits. The honest framing: any asset you hold through a vehicle, any vehicle, depends on the operational security of whoever is running the vehicle, and 2026 has demonstrated that operational security is the actual ceiling on how much value can be safely held in pooled venues.

If you operate a multi-sig or governance system for institutional or family-office Bitcoin holdings, the trust-chain compromise vector documented in the Drift breach is now part of your threat model whether you account for it or not. The mitigation is procedural rather than technical: pre-arranged out-of-band verification codes for any signing event, geographic separation of signers, mandatory cooling-off periods on any new counterparty's first three operations, written justification logs for unusual transactions, and specific awareness of durable-nonce abuse patterns on Solana or any chain where transactions can be signed in advance and broadcast later. The Mandiant report on UNC1069 (covered April 24) named the same lesson at the individual level. April confirmed it at the institutional level.

What to Watch

Watch May. If the pace continues, 2026 is on track to surpass 2022's $3.8 billion in stolen crypto. Watch DefiLlama's tracker for early-May incidents to see whether the April surge was concentrated or sustained. Watch whether Aave's $200 million 'DeFi United' backstop holds against future incidents and whether other protocols establish similar mutual-aid mechanisms. Watch Jefferies and the institutional research community to see whether the hack streak actually slows tokenization plans or whether the demand for yield overcomes the documented risk. Watch the next North Korea sanctions or US Treasury OFAC action, because the 76% attribution figure will eventually generate a policy response. Watch for the next incident framed as either trust-chain compromise or cross-chain verification failure, because those two categories are now the dominant DeFi loss vectors and the next major exploit will almost certainly fit one of them.

Few attacks, huge losses. Trust-chain compromise at Drift, cross-chain verification failure at Kelp. Two different failure modes, one adversary, one month.

Sources

  1. [1]DeFiLlama — final April 2026 hack tally posted to X, April 30, 2026
  2. [2]TRM Labs — North Korea cryptocurrency theft attribution analysis through April 2026, including Drift Protocol and Kelp DAO operational details
  3. [3]Chainalysis — 2025 cryptocurrency theft attribution report, North Korea state actor share approximately 64% (2026 share rising to 76%)
  4. [4]CryptoTimes — '$629M Lost: April 2026 Marks Worst Month for Crypto Hacks', April 30, 2026
  5. [5]CryptoNews / Cointelegraph — 'Crypto hack losses top $630M in April, highest since February 2025', April 30, 2026
  6. [6]Coinpedia — 'Crypto Hacks Hit $650M in April, Biggest Losses Since 2022: CertiK', April 30, 2026
  7. [7]Live Bitcoin News — 'April 2026 Crypto Hacks Hit $620M as Bridge Failures and Admin Exploits Dominate Attacks', April 26, 2026
  8. [8]24/7 Wall St. — 'The Crypto Industry Just Had Its Worst Month of Hacks in Over a Year', April 24, 2026 (cited for $17B cumulative figure and Mitchell Amador quote)

More in Threats

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price