Hackers stole more than $625 million in April 2026 alone, carrying out between 20 and 30 separate attacks. That is almost one attack every day.
The service DefiLlama published a chart on X showing that in April, there was an average of nearly one hack per day. For comparison, in previous months the figure rarely exceeded 12–15 incidents.
As a result, the numbers surpassed all previous quarters and brought the month close to a historic record for the number of hacks.
Why Almost All the Damage Came From Two Attacks
The month’s picture was largely shaped by several major incidents. On April 1, 2026, the Drift protocol lost $285 million. A group from North Korea spent about six months building trust with project employees and then, in 12 minutes, withdrew funds using pre-signed withdrawal instructions.
On April 18, a similar blow hit KelpDAO. The project lost $293 million after attackers forced the system to issue tokens without real backing.
See also: Aptos Launches Private Coin to Solve One of the Main Problems of the Crypto Market
Both attacks are linked to North Korea, but the methods were different. This shows the level of preparation that the DeFi industry was not ready for.
As a result, these two hacks accounted for the main losses of the month. The situation once again shows that even a few well-prepared attacks can seriously shake the entire DeFi market.
Why Did the KelpDAO Hack Put Billions at Risk Outside the Project Itself?
After the attack, the perpetrators used the stolen tokens as collateral in Aave and borrowed almost $190 million in real Ethereum.
As a result, the platform was left with worthless collateral for the issued loans. In two days, the total deposit volume in Aave fell from $26.4 billion to about $17.9 billion. Stablecoin pools were loaded at 100%, and according to Galaxy Research, the volume of bad debt rose to a range of $123.7 million to $230 million.
Panic quickly spread across the market. In a few days, more than $13 billion was withdrawn from DeFi protocols. Users began to withdraw funds en masse, and projects like Morpho, Spark, Lido, Yearn, Beefy and even Ethereum itself were forced to temporarily restrict operations due to the strong outflow of liquidity.
But direct losses are only part of the picture. The blow hit TVL, user trust, and project valuations.
As one DeFi analyst noted, the market remains niche until risks begin to be adequately accounted for.
Who Is Behind This and How Much Has Been Stolen?
According to TRM Labs, by April 2026, hacker groups linked to North Korea were responsible for 75% of all crypto hack losses. That is about $577 million out of $759 million.
As noted by the UN, US Treasury and blockchain analytics companies, North Korea uses cryptocurrency as a source of funding for the state and its military programs amid tough sanctions. According to TRM Labs, since 2017, such groups have stolen more than $6 billion.
See also: Robinhood and Coinbase Drag Down Crypto Stock Market After Trump Rejects Iran Plan
According to Ari Redbord, head of policy and government affairs at TRM Labs, it is not about expanding attacks, but about their quality:
“We are seeing not just a larger campaign, but a more precise one. North Korea is acting faster and more accurately than ever before.”
What Happened in April Besides the Two Major Hacks?
Besides the high-profile attacks, the month was also full of smaller but still painful incidents.
On April 10, Rhea Finance lost $18.4 million. Some funds were saved, Tether froze about $3.29 million, but the rest was withdrawn by the attacker, who used flash loans to manipulate prices and drain the pool.
A similar story happened on April 15 with the Grinex exchange from Kyrgyzstan. Hackers withdrew $13.74 million in USDT, split the funds among 54 wallets, and ran them through SunSwap to make tracking more difficult.
Other projects also suffered during the same period. Hyperbridge lost $2.5 million on the Polkadot network, and CoW Swap — about $1.2 million on April 14.
See also: Hyperliquid Prepares to Compete With Polymarket With New Event Trading Format
By the end of the month, signs of another active attack appeared. On April 29, on-chain analyst Wazz wrote on X that hundreds of wallets, many of which had been inactive for more than seven years, were emptied by a single address on the Ethereum network. According to him, this looks like a new real-time exploit.
But that was not the end. On the last day of April, Wasabi Protocol lost about $5 million after an attacker gained access to a compromised deployment key and used it for the attack.
Is DeFi Becoming Safer or More Dangerous?
It is both. It all depends on your perspective.
On one hand, the response to attacks has become noticeably faster. After the KelpDAO hack, more than 14 organizations pledged over $300 million to the DeFi United fund to help victims.
In addition, the industry now has tools that simply did not exist before. For example, the Arbitrum security council was able to freeze $71 million of attacker funds by using emergency powers.
But there is a downside. Attacks are evolving faster than defenses can adapt. The two largest hacks in April did not happen due to code errors, but because of human manipulation.
If the current trend continues, with the same number of attacks, industry losses in the coming months could reach about $7.5 billion. That is about three times more than for all of 2024.
