Crypto protocols have lost $606 million to exploits in the first 18 days of April, driven by two enormous bridge attacks attributed to North Korea's Lazarus Group, making it the worst month for crypto security since the Bybit breach in February 2025.
Crypto protocols have lost $606 million to exploits in the first 18 days of April — nearly four times the $165.5 million stolen across all of January, February, and March combined.
Two attacks account for 95 per cent of the damage. Kelp DAO's LayerZero-powered bridge was drained of $292 million in rsETH on 18 April, making it 2026's largest single exploit. Drift Protocol, a Solana-based perpetual exchange, lost $285 million on 1 April after attackers spent six months socially engineering their way into the platform's infrastructure. Both incidents have been linked — with varying degrees of certainty — to North Korea's Lazarus Group, the state-sponsored hacking unit that stole $1.4 billion from Bybit in February 2025.
The pattern is now impossible to dismiss. Bridge protocols — the cross-chain messaging layers that move assets between blockchains — have become DeFi's structural weak point. Kelp's attacker exploited a single-verifier configuration in LayerZero's messaging system, forging a validation message that tricked the bridge into releasing 116,500 rsETH to an attacker-controlled address. The entire operation, from first exploit transaction to emergency freeze, took 46 minutes. In that window, roughly 18 per cent of rsETH's circulating supply was siphoned off.
The collateral damage dwarfed the theft itself. Because rsETH served as collateral across more than 20 networks, the exploit triggered a cascade of emergency freezes at Aave, SparkLend, Fluid, and Upshift. Aave's total value locked plummeted by $8.45 billion over 48 hours — knocking it from its position as the largest DeFi protocol by deposits — and the broader DeFi ecosystem shed $13.2 billion in TVL in two days. Aave was left with approximately $195 million in bad debt concentrated in rsETH–wrapped ether pairs, a liability that will need to be socialised across the protocol's governance and insurance mechanisms.
The smaller exploits this month tell a similar story of inadequate security. CoW Swap was hit by a DNS hijack that redirected users to a fake front end. Grinex, a sanctioned Russian exchange, shut down entirely after a $15 million breach it blamed — without evidence — on Western intelligence services. Across 12 incidents in April, the total now stands at $606.2 million, according to data compiled by DefiLlama.
Year-to-date losses have reached $771.8 million across 47 incidents, a 68 per cent increase in attack frequency compared with the same period in 2025. April alone has surpassed the worst month of Q1 by a factor of 3.7, and the quarter still has ten days left. The only month in recent memory that was worse was February 2025, when the $1.4 billion Bybit hack distorted the numbers beyond meaningful comparison.
The industry's response has been predictably reactive. Justin Sun, the Tron founder, publicly urged the Kelp attacker to negotiate a bounty deal — a tactic that occasionally works but carries the uncomfortable implication that $292 million thefts are a normal cost of doing business. One analyst estimated that the best realistic outcome would be a 10 to 15 per cent bounty payment, meaning the attacker could walk away with $30 to $45 million and the community would call it a win.
The deeper problem is structural. DeFi's "modular" security philosophy — where each protocol chooses its own verification setup, oracle configuration, and risk parameters — creates a system where a misconfigured parameter in one component can cascade across dozens of interconnected platforms. Kelp's bridge relied on a single verifier; Aave accepted rsETH as collateral without sufficiently accounting for the risk that the underlying bridge could be compromised. Neither failure was unforeseeable. Both were unfixed.
April 2026 is not an anomaly. It is what happens when an industry grows faster than its security infrastructure. The $606 million lost this month will eventually be absorbed — through insurance, governance votes, and quiet write-downs — but the damage to user confidence is harder to quantify and slower to repair. Total value locked across DeFi fell from $99.5 billion to $86.3 billion in 48 hours; some of that capital is unlikely to return.
