Hackers Stole $606 Million From Crypto in 18 Days. Here's Exactly What Happened — and If Your Money Is Safe
April 2026 is the worst month for DeFi exploits in over a year. Two attacks — KelpDAO ($292M) and Drift Protocol ($285M, linked to North Korea) — wiped $14 billion from DeFi in 48 hours. Complete breakdown of every hack, who is at risk, and how to protect yourself.
🚨 Breaking — Updated April 21, 2026
$606 million stolen from DeFi protocols in the first 18 days of April 2026. Two attacks — KelpDAO ($292M) and Drift Protocol ($285M) — account for 95% of losses. North Korean state hackers have been linked to at least one attack. Here's everything you need to know and exactly how to protect yourself.
⚡ Key Takeaways
- April 2026 is the worst month for DeFi hacks since February 2025 — $606M stolen in 18 days across 12 separate attacks
- The two largest hacks: KelpDAO ($292M) via bridge exploit and Drift Protocol ($285M) via North Korean social engineering
- Bitcoin, Ethereum and Solana base layers were not compromised. All hacks targeted bridges, liquid restaking protocols and cross-chain infrastructure
- DeFi total value locked dropped $14 billion in 48 hours — hitting a one-year low of ~$85 billion
- If your crypto is on a hardware wallet or in a major CEX, you are not directly at risk from these specific attacks
- The pattern: bridge protocols and restaking infrastructure are by far the highest-risk category in DeFi right now
On April 19, 2026, a single attacker drained $292 million from KelpDAO in what would become the largest DeFi exploit of the year — surpassing the $285 million Drift Protocol hack from just 18 days earlier. Together, these two attacks pushed April 2026's total crypto losses to over $606 million in under three weeks, making it the worst month for DeFi security since the $1.4 billion Bybit breach of February 2025.
The crypto community's reaction ranged from panic to dark humor. "DeFi is dead," trended on Crypto Twitter for the second time this year. But as with every previous exploit cycle — 2022, 2021, 2020 — the reality is more nuanced than the headlines suggest. The base layer blockchains are fine. The infrastructure being exploited is specific. And if you understand exactly what was attacked and why, you can make informed decisions about your own exposure.
The Scale: $606 Million in 18 Days
To understand how extraordinary April 2026 has been, consider the context: the entire first quarter of 2026 (January through March) saw $165.5 million in DeFi losses across all incidents. April alone has already produced 3.7 times that figure — and the month isn't over.
| Date | Protocol | Amount Lost | Attack Type | Attribution |
|---|---|---|---|---|
| Apr 1 | Drift Protocol | $285M | Social engineering | North Korea (Lazarus) |
| Apr 10 | Aethir Bridge | ~$2M | Bridge exploit | Unknown |
| Apr 14 | CoW Swap | $1.2M | Domain hijacking | Unknown |
| Apr 15 | Grinex Exchange | $13.7M | Exit scam / hack | Russia-linked |
| Apr 15 | Hyperbridge | $2.5M | Merkle proof forgery | Unknown |
| Apr 19 | KelpDAO | $292M | Bridge / LayerZero exploit | Under investigation |
| Apr 19 | Zerion, Rhea Finance, Silo Finance | ~$10M combined | Various | Unknown |
The pattern is unmistakable: bridge protocols and cross-chain infrastructure are the primary targets. Of the $606 million stolen, over 95% came from protocols that move assets between different blockchains — not from the blockchains themselves.
Attack #1: KelpDAO — $292 Million Bridge Exploit
KelpDAO Hack — April 19, 2026
Largest DeFi exploit of 2026
Bridge exploit rsETH depegged $14B TVL wiped in 48hKelpDAO is a liquid restaking protocol — users deposit stETH or cbETH and receive rsETH, a token that earns both standard Ethereum staking rewards and additional yield from EigenLayer restaking. The protocol had grown to hold approximately $1.6 billion in total value locked before the attack.
The exploit targeted KelpDAO's LayerZero-powered cross-chain bridge — the infrastructure that allows rsETH to exist across more than 20 different blockchain networks simultaneously. An attacker found a critical vulnerability that allowed them to drain 116,500 rsETH (roughly 18% of the entire circulating supply) from the bridge reserves.
📌 Why the damage cascaded so far
rsETH wasn't just held by individual investors. It was widely used as collateral across DeFi lending protocols. When the exploit drained the bridge reserves, rsETH's backing became uncertain — and protocols that had accepted rsETH as collateral had to act immediately. Aave froze rsETH markets. SparkLend paused rsETH deposits. Fluid halted rsETH collateral. Users who hadn't been anywhere near KelpDAO suddenly found their positions frozen or at risk. This is the "contagion" risk that makes bridge exploits so damaging — the blast radius extends far beyond the attacked protocol itself.
KelpDAO paused all core contracts within hours of detecting the exploit, but the damage was done. Total DeFi value locked fell from approximately $99 billion to $85 billion in the 48 hours following the hack — a drop of $14 billion driven primarily by users withdrawing funds from protocols they feared might have indirect rsETH exposure.
Attack #2: Drift Protocol — $285 Million, North Korea
Drift Protocol Hack — April 1, 2026
Solana-based perpetuals DEX
Social engineering North Korea — Lazarus Group 12 minutes to drainThe Drift Protocol hack, which unfolded on April 1, is arguably more alarming than KelpDAO — not because of the dollar amount, but because of how it was executed. North Korea's Lazarus Group, responsible for over $3 billion in crypto theft since 2017, conducted a months-long social engineering campaign targeting Drift Protocol employees.
The attackers fabricated a CarbonVote Token (CVT) to manipulate pricing oracle data, and used pre-signed hidden authorizations to gain access to the protocol's core contracts. Once inside, they drained approximately $285 million in assets in roughly 12 minutes — one of the fastest large-scale DeFi exploits on record. Tether eventually helped secure a $147.5 million recovery package for affected users, but over $130 million remains unrecovered.
⚠️ North Korea's crypto strategy is evolving
Security researchers at Chainalysis and Elliptic note that Lazarus Group has shifted tactics in 2026 — moving from direct exchange hacks toward targeting DeFi infrastructure through social engineering. This approach is harder to detect and defend against because it exploits human vulnerabilities rather than code vulnerabilities. Coinbase has already begun building AI agents to monitor for unusual employee behavior patterns in response to this threat. No DeFi protocol with significant TVL is immune to a sophisticated state-sponsored social engineering campaign.
Who Is Actually at Risk — And Who Isn't
The most important thing to understand about April's hacks is what they didn't compromise. Ethereum, Bitcoin, and Solana base layers were not touched. No major centralized exchange was hacked. Hardware wallets are unaffected. The attacks targeted a specific slice of the DeFi ecosystem — cross-chain bridges and liquid restaking infrastructure — not crypto broadly.
| Where your crypto is | Risk level | Why |
|---|---|---|
| Hardware wallet (Ledger, Trezor) | Very Low | Private keys never touch the internet |
| Major CEX (Coinbase, Kraken, Binance) | Low | Not DeFi — different attack surface |
| Standard ETH staking (Lido, Rocket Pool) | Low | No cross-chain bridge exposure |
| Solana staking (native validators) | Low | No bridge or restaking risk |
| DeFi lending (Aave, Compound) | Medium | Indirect exposure via collateral contagion |
| Cross-chain bridges | High | Primary attack vector in 2026 |
| Liquid restaking (rsETH, ezETH) | High | Bridge exposure + complex slashing risk |
Why Cross-Chain Bridges Keep Getting Hacked
This is not the first major bridge hack, and it won't be the last. The Ronin Bridge ($625M, 2022), Wormhole ($320M, 2022), and Nomad ($190M, 2022) were the most prominent examples from previous cycles. Bridge exploits account for a disproportionate share of all DeFi losses — and the reason is structural.
A cross-chain bridge must hold large reserves of assets on multiple chains simultaneously, coordinate messages between chains without a unified security model, and do all of this while remaining permissionless and accessible. Each of those requirements introduces attack surface. The more chains a bridge supports, the more complex the codebase, and the more opportunities an attacker has to find an edge case the auditors missed.
📌 The fundamental problem with bridges
Ethereum and Bitcoin are secure because thousands of independent nodes validate every transaction. A bridge connecting them is typically secured by a much smaller set of validators — sometimes as few as 5–9 multisig signers. You're trusting the security of a $300 million bridge to an infrastructure that has a fraction of the security budget of the chains it connects. Until bridges achieve security comparable to the base layer chains they connect, they will remain the most exploited category in crypto.
How to Protect Yourself Right Now
If you have crypto in any of the following, you should review your exposure today:
- Any liquid restaking protocol (rsETH, ezETH, pufETH, weETH) — understand exactly what bridge infrastructure backs your position and whether it has been audited
- Any cross-chain bridge holding your assets — the rule of thumb: the more chains a bridge supports, the larger its attack surface
- Any protocol that accepted rsETH as collateral — check whether your lending position is affected by the KelpDAO contagion
- Any protocol that launched in the last 6 months with unusually high APY — in DeFi, high yield almost always reflects unpriced risk
The five rules that would have protected you from every April 2026 hack:
- Never keep more in DeFi than you can afford to lose entirely
- Avoid bridge protocols for long-term storage — use them to move assets, not hold them
- Prefer native chain staking (Lido, Rocket Pool, native SOL staking) over cross-chain restaking
- Diversify across protocols — never concentrate more than 20% of your crypto in any single DeFi protocol
- Hardware wallet for anything you're not actively using in DeFi
Will DeFi Survive This?
The "DeFi is dead" narrative resurfaces after every major exploit cycle. It was wrong in 2022 when $3.8 billion was stolen across multiple hacks. It's likely wrong now. The structural case for on-chain finance — permissionless access, transparent rules, 24/7 operation — hasn't changed because of these hacks. What changes is the risk pricing.
After every major exploit cycle, the protocols that survive emerge with better security practices, larger audit budgets, and more conservative architecture. Aave survived the KelpDAO contagion because it moved quickly to freeze rsETH markets. Lido has never been hacked because it prioritizes security over complexity. The DeFi ecosystem is selecting for better security — just at a high cost to the protocols and users caught in the process.
The more significant long-term risk isn't the hacks themselves — it's the regulatory response. $600 million in losses in one month gives legislators exactly the ammunition they need to push for strict DeFi regulation. The Clarity Act moving through the US Senate this week will likely be influenced by April's events. For DeFi to reach its potential, it needs to solve its security problem before regulators solve it for them.
🪙 Earn 5.5–8% APY on Solana — No Bridge Risk
Native Solana staking has zero cross-chain bridge exposure. Here's how to earn yield without the risks April 2026 exposed.