Crypto Hack Losses Hit $651M in April — Highest Since 2022

Key Takeaways

In April 2026, $651M in crypto hacks were recorded, the highest monthly loss since 2022.
Two mega DeFi breaches—Drift ($285 million) & Kelp DAO ($293 million)—drove most damage.
Nation-state actors like Lazarus used sophisticated social engineering & infrastructure attacks.

April 2026 delivered a brutal wake-up call to the crypto industry.

According to data from DefiLlama and CertiK, hacking incidents reached a record high, with confirmed exploit losses totaling around $651 million. This includes roughly $3.5 million from phishing attacks.

This marks the highest monthly tally since March 2022, when losses hit $715 million, and the worst performance excluding the massive February 2025 Bybit breach.

Prominent Hacks in April 2026: A Breakdown

What made April especially devastating were two high-profile DeFi hacks that alone accounted for the vast majority of the damage.

These weren’t isolated smart-contract bugs—they exposed deeper vulnerabilities in operations, infrastructure, and human elements.

The fallout triggered billions in DeFi outflows, sent shockwaves across lending protocols. It eroded investor confidence at a time when the sector was already navigating regulatory and market pressures.

In just the first 18 days, losses topped $606 million across at least a dozen incidents, pushing year-to-date 2026 thefts near $772 million.

Drift Protocol (April 1) – $285 Million

Solana’s largest perpetual futures DEX suffered one of the year’s biggest hits when attackers drained key vaults holding JLP tokens, SOL, BTC, and other assets.

The breach wasn’t a code flaw—independent audits had cleared the contracts. Instead, it stemmed from a sophisticated six-month social engineering campaign linked to North Korea’s Lazarus Group.

Posing as a legitimate quant trading firm, the attackers built relationships, compromised contributor accounts, and gained access to admin keys and cloud infrastructure. Within 12 minutes, over 50% of Drift’s TVL vanished.

The protocol’s TVL plummeted from roughly $550 million to under $250 million, proving that even battle-tested DeFi projects remain vulnerable to insider-level access.

KelpDAO (April 18-19) – $292–293 Million

This liquid restaking protocol lost approximately 116,500 rsETH (worth about $292 million at the time) through its LayerZero cross-chain bridge.

Attackers—again preliminarily linked to Lazarus Group’s TraderTraitor unit—exploited a critical single point of failure: Kelp’s 1-of-1 verifier setup.

They compromised RPC nodes relied on by the verifier, launched a DDoS attack on the others, and forged a cross-chain message claiming to originate from Unichain. This tricked the bridge into releasing funds from the Ethereum escrow.

The stolen rsETH was then used as collateral across lending platforms like Aave to borrow even more assets.

LayerZero later noted it had warned Kelp against the risky single-verifier configuration.

The hack triggered over $10 billion in outflows from connected protocols and a broader DeFi “bank run.”

Other notable incidents

Other notable incidents included the ZetaBridge exploit on April 3, which resulted in $8.1 million in losses due to a smart-contract logic flaw, followed by the Grinex exchange breach on April 15, which drained roughly $13.7 million in USDT across multiple wallets.

Rhea Finance also suffered losses of approximately $7.6 million due to fraudulent token contracts.

In addition, a series of smaller exploits contributed to the overall damage, including PulseVault ($3.4 million), AeroSwap ($1.7 million), and NodeFi ($2.3 million), with many of these attacks involving flash loans, oracle manipulation, or compromised private keys.

These attacks showed that while the two mega-hacks stole the headlines, the sheer volume of incidents set a grim record.

The Rise of Sophisticated Hacks: Nation-State Threats Reshaping Crypto Security

Crypto hacks have evolved far beyond the early days of simple reentrancy bugs and flash loan exploits.

In 2026, the playbook increasingly favors advanced persistent threats (APTs) orchestrated by nation-state actors—most notably North Korea’s Lazarus Group.

Gone are the days when attackers needed a glaring Solidity vulnerability.

Today’s operations blend months of reconnaissance, social engineering, AI-assisted phishing, deepfakes, and supply-chain compromises.

The Drift attack exemplified this: a prolonged infiltration campaign that bypassed technical audits entirely. Lazarus actors didn’t break the code—they broke the people and processes around it.

Similarly, the KelpDAO breach targeted off-chain infrastructure rather than on-chain logic, turning a trusted cross-chain messaging protocol into a single point of failure through DDoS and node compromise.

Nation-state involvement adds another layer of danger.

Lazarus has stolen billions in crypto over the years to fund regime activities, laundering proceeds rapidly through mixers, bridges, and decentralized protocols.

Their tactics—long-term relationship-building at conferences, compromised employee devices, and AI-powered impersonation—make traditional defenses such as code audits or bug bounties insufficient.

The message for projects, users, and investors is clear.

DeFi’s promise of decentralization still relies on centralized human and operational weaknesses.

Multi-signature wallets, timelocks, multi-verifier bridges, hardware security keys, and rigorous operational security are no longer optional—they’re essential.

As nation-state hackers treat crypto as a strategic funding source, the industry must shift from reactive bug fixes to proactive, defense-in-depth strategies. April 2026 wasn’t just an expensive month; it was a warning.

With losses already rivaling some of the worst periods in crypto history, the path forward demands stronger collaboration between protocols, security firms, and regulators—before the next record-breaking breach hits.

Staying vigilant, using hardware wallets, and double-checking every transaction remain the best personal defenses in an increasingly sophisticated threat landscape.