April 2026 ranked among the most damaging months in crypto history, with reported losses topping $625 million across the sector. Fewer attacks caused far larger losses than in previous months, and the biggest incidents traced back to trusted access, social engineering, and bridge infrastructure weaknesses.
For DeFi Security teams, April showed attackers are looking for weak code but also targeting people, permissions, validators, and the infrastructure that protocols trust.
The North Korean Precision Play
North Korea-linked crypto theft has often been treated as a high-volume threat. April looked different. Investigators tied most of the year’s stolen value to two large attacks rather than smaller exploits.
TRM Labs stated North Korea-linked hackers accounted for 76% of all crypto hack value in 2026 through April, driven by two attacks: Drift Protocol and KelpDAO. Together, the two incidents accounted for about $577 million in stolen assets.
Chainalysis said Drift was likely connected to DPRK actors, while LayerZero said early indicators in the KelpDAO case pointed to Lazarus Group and TraderTraitor. The evidence points to longer reconnaissance, more social engineering, and attacks built around internal access.
The Drift Protocol Social Engineering Disaster
Hackers struck Drift Protocol on April 1 and drained about $285 million. Chainalysis reported that the attackers seized control over administrative permissions and used that access to whitelist fake collateral before withdrawing real assets.
Available reports frame the Drift exploit as something beyond a conventional oracle attack. Privileged access was the root problem. Once attackers controlled trusted permissions, standard security tools had far fewer reasons to flag the outgoing transactions.
The Wall Street Journal reported that suspected North Korean operatives posed as representatives of a trading firm and spent several months building credibility with Drift before striking. If that timeline holds, the attackers ran a long-term confidence operation aimed squarely at internal controls rather than on-chain logic.
KelpDAO and the Bridge Infrastructure Failure
Attackers hit KelpDAO on April 18 and walked away with about $292 million after exploiting its rsETH bridge route. The attack targeted cross-chain infrastructure, not a conventional smart contract bug.
LayerZero reported that the attackers poisoned downstream RPC infrastructure, which protocols depend on to read blockchain data. The affected KelpDAO route also relied on a single verifier, meaning that a compromised data path could cause a fraudulent cross-chain message to appear valid to the broader system.
LayerZero also clarified that the attackers did not exploit the LayerZero protocol itself, its DVN, key management, or smart contract logic. That places the weakness squarely in route configuration and the supporting infrastructure around it.
The Industry Response and Recovery Dilemma
Aave and other ecosystem participants coordinated a recovery effort that reportedly recovered more than $300 million after the KelpDAO exploit created widespread attention across DeFi markets. Drift said Tether proposed contributing up to $127.5 million to its own recovery package, alongside support from additional partners.
Recovery, though, surfaced a secondary problem around emergency control. Arbitrum’s Security Council froze 30,765.6675 ETH tied to the KelpDAO exploiter, then handed the decision on releasing those funds to governance.
That move protected assets in the short term, but it reopened a long-standing debate about decentralization. DeFi users must now reckon with emergency tools that concentrate considerable power in the hands of small security teams, a tradeoff the industry has yet to fully resolve.
April’s record losses handed DeFi security teams more ground to cover. The Drift Protocol and KelpDAO incidents proved attackers can prevail through staff access, weak verifier design, and crisis infrastructure that predates attacks of this scale.
