The world of cryptocurrency witnessed an alarming surge in hacking incidents during April 2026, earning it the grim distinction of being the most-hacked month in crypto history. According to data compiled by DeFi Llama, over 24 exploits occurred, resulting in the theft of more than $600 million.
The largest single attack of the month targeted Kelp DAO, a decentralized finance (DeFi) protocol, with losses amounting to a staggering $292 million. This incident not only sent shockwaves throughout the DeFi community but also raised serious concerns regarding bad debt at Aave, one of the industry’s most prominent lending platforms. In response, multiple organizations mobilized to provide emergency loans and donations to alleviate the financial shortfall caused by the breach.
Following closely behind was the hack on Drift Protocol, a perpetuals exchange operating on the Solana blockchain, which lost over $280 million. Drift officials later revealed that the breach was not merely a straightforward code exploit, but rather a meticulously orchestrated “structured intelligence operation” that had been developing over a period of six months.
Shifting Tactics: Social Engineering Over Code Bugs
What occurred in April illustrates a worrying trend in the methods employed by cybercriminals. Observers have pointed out that both the Kelp DAO and Drift Protocol incidents were not merely the result of technical vulnerabilities within their software. Instead, attackers adeptly leveraged social engineering tactics to manipulate individuals with access to admin keys, highlighting that improving code security may not suffice in preventing future breaches.
Another significant incident involved the exploit of Hyperbridge, a protocol built on the Polkadot network, which resulted in a theft of $2.5 million. The attacker initiated the hack by siphoning approximately 245 ETH and then executed a forged cross-chain message to bypass critical security checks, enabling them to mint around one billion bridged DOT tokens and subsequently unload them on the market.
New Threats Emerge on Ethereum
As the month drew to a close, on April 30, an on-chain analyst known as Wazz flagged what appeared to be a fresh and concerning exploit targeting dormant Ethereum wallets. Hundreds of inactive wallets, some untouched for over seven years, fell victim to an address that drained them in a remarkably short time frame.
Wazz labeled it as a “new live exploit, worth flagging,” although full details of the attack were yet to be confirmed.
In an analysis that stands to shake the very foundations of the crypto space, reports indicate that the infamous Lazarus Group—a hacking collective believed to be linked to North Korea—bore responsibility for nearly 95% of the thefts recorded in April. This same group has been previously implicated in major breaches, including the $1.4 billion attack on Bybit in February 2025.
While the month of April saw three other months surpassing the $1 billion mark in total losses, the record set this April was distinguished by the sheer volume of hacking incidents rather than just the monetary value of the thefts. In an effort to mitigate the collateral damage from the Kelp DAO hack, the Arbitrum DAO instigated a vote on April 30 to release 30,766 frozen ETH to DeFi United.
