DeFi Hacks Top $840M in First Five Months of 2026, With April Accounting for Over $600M

More than $840 million was lost to DeFi exploits in the first five months of 2026, with April alone accounting for over $600 million in stolen funds across two of the year's largest attacks, according to DeFiLlama data. The $292 million KelpDAO exploit on April 18 and the $285 million Drift Protocol breach pushed April's toll into territory not seen since the peak of crypto-related incidents in 2023. The losses have continued into May, with THORChain halting trading after security researchers flagged a suspected cross-chain exploit affecting more than $10 million.

The pattern has exposed structural weaknesses across bridges and admin systems, according to experts tracking the incidents. Natalie Newson, senior blockchain investigator at Web3 security platform CertiK, said April was an unusually severe month but the broader trend remains more stable. "April 2026 was a bad month for crypto exploits; there were only three days without an exploit in which at least $10,000 was taken," she said. "However, when we take a look at the wider picture, the number of incidents (excluding phishing) has arguably been fairly consistent and still lower than a peak in 2023." Newson noted that April's severity was driven by 14 exploits exceeding $1 million in losses, second only to September 2025's 16.

Ari Redbord, Global Head of Policy and Government Affairs at TRM Labs, attributed the surge to a single state actor. "The dominant driver is North Korea, and that campaign is getting sharper, not broader," Redbord said, noting that North Korea-linked actors accounted for 76% of global crypto hack losses in the first four months of 2026, up from 64% in 2025 and less than 10% in 2020. "North Korea is using not only technology to attack the space, but also sophisticated and well-planned social engineering," he added.

The year's largest DeFi hack hit KelpDAO on April 18, when attackers drained about 116,500 rsETH, worth roughly $292 million, from a cross-chain bridge. LayerZero, whose messaging infrastructure underpinned the bridge, said in a postmortem prepared with Mandiant and CrowdStrike that the attack began on March 6, when a developer was socially engineered and session keys were harvested. Other protocols affected this year include TrustedVolumes, Echo Protocol, Step Finance, Truebit, Resolv Labs, Volo Protocol, Rhea Finance, and the Verus-Ethereum bridge.