Key Takeaways
- Data from DeFi Llama shows April 2026 recorded the highest number of crypto security incidents in history
- Approximately 24 separate breaches occurred, resulting in combined losses surpassing $600 million
- Kelp DAO suffered the month’s most significant attack, losing $292 million
- Drift Protocol experienced the second-largest breach at over $280 million, which security experts characterized as a months-long “structured intelligence operation”
- Security researchers identified an active exploit targeting inactive Ethereum wallets on April 30
The cryptocurrency industry experienced its darkest period on record during April 2026, establishing a new benchmark for security failures. While previous months saw larger total dollar amounts stolen, April distinguished itself through the unprecedented frequency of attacks. Data analytics platform DeFi Llama verified that monthly exploit counts easily exceeded 20 for the first time in documented history.
Industry analyst Stacy Muur documented no fewer than 24 distinct security breaches by month’s end, with aggregate financial damage crossing the $600 million threshold.
The month’s most damaging single incident targeted Kelp DAO, a decentralized finance protocol, resulting in $292 million in losses. This massive exploit raised alarm bells about potential bad debt exposure at Aave, a leading DeFi lending platform. Multiple entities stepped forward with emergency financial assistance and contributions to help address the deficit.
Claiming second place among April’s attacks was Drift Protocol, a perpetuals trading platform built on Solana, which saw more than $280 million disappear. The Drift team later clarified that this wasn’t a straightforward smart contract vulnerability. They characterized the breach as a sophisticated “structured intelligence operation” that adversaries had carefully planned over approximately half a year.
Human Manipulation Overtakes Technical Exploits
The tactics employed throughout April’s security incidents have become a focal point of industry discussion. An X user known as CuriousCrypto pointed out that neither the Drift nor Kelp DAO breaches stemmed from flaws in their underlying smart contract code. Instead, threat actors leveraged social engineering techniques to compromise individuals holding administrative access credentials.
This revelation carries significant implications. It demonstrates that comprehensive code audits and technical reviews alone cannot serve as complete protection against determined attackers.
Hyperbridge, a protocol native to the Polkadot ecosystem, also fell victim during April, losing $2.5 million. The perpetrator initially extracted roughly 245 ETH before deploying a counterfeit cross-chain communication to circumvent critical security protocols. This manipulation enabled them to create approximately one billion bridged DOT tokens and liquidate them through market sales.
Long-Dormant Ethereum Accounts Compromised
Blockchain security researcher Wazz raised an alert on April 30 regarding what appeared to be an ongoing exploit affecting Ethereum’s main network. Hundreds of wallet addresses, including many that had remained dormant for more than seven years, were systematically emptied by an identical attacker address within a compressed timeframe.
Wazz characterized the situation as a “new live exploit, worth flagging,” although comprehensive details remained unverified as of publication.
According to one analysis, the Lazarus Group, a cybercriminal organization with alleged ties to North Korea, was responsible for approximately 95% of April’s cumulative losses. This entity had been previously implicated in the $1.4 billion Bybit security breach that occurred in February 2025.
DeFi Llama’s research highlighted that although three other months in cryptocurrency’s timeline witnessed total stolen amounts exceeding $1 billion, April’s distinction lies in the sheer quantity of separate incidents rather than aggregate dollar values.
On April 30, the Arbitrum DAO initiated a governance vote concerning the release of 30,766 frozen ETH to DeFi United, an action directly related to addressing consequences from the Kelp DAO compromise.
