April Sets Record for Crypto Hacks as Exploits Surge Past 20 Incidents

April became the most hack-filled month in crypto by incident count, with DeFiLlama tracking 28 exploits and US$635.2 million (AU$882.0 million) in losses as two infrastructure failures dominated the damage.

DeFiLlama’s hack database showed KelpDAO as April’s largest incident at US$293 million (AU$407.3 million), followed by Drift Protocol at US$285 million (AU$396.2 million). Together, the two attacks accounted for US$578 million (AU$803.4 million), or roughly 91% of all April losses tracked by the database.

April ends as the most-hacked month in crypto history, by number of incidents. pic.twitter.com/Cx67K3z86O

— DefiLlama.com (@DefiLlama) April 30, 2026

The rest of the month was smaller but broader. DeFiLlama listed Rhea Lend at US$18.4 million (AU$25.6 million), Grinex at US$15 million (AU$20.9 million), Wasabi Perps at US$5.5 million (AU$7.6 million) and more than 20 additional incidents across DeFi, wallets and infrastructure.

Related: Strategy’s High-Yield Stock Will Continue to Fuel Bitcoin Surge, Says Bitwise CIO

KelpDAO Bridge Failure

Chainalysis said attackers linked to North Korea’s Lazarus Group stole about US$292 million (AU$405.9 million), or 116,500 rsETH, from KelpDAO’s LayerZero bridge on April 18. The blockchain analysis firm said the incident was “not a smart contract vulnerability” but an attack on off-chain infrastructure.

According to Chainalysis, compromised RPC nodes and denial-of-service pressure against external nodes fed false data to a 1-of-1 verifier setup. The result was a transaction that appeared valid to the system even though the underlying state was falsified.

KelpDAO paused contracts after the exploit and blocked a second attempted theft of 40,000 rsETH, worth about US$95 million (AU$132.1 million), Chainalysis said. The Arbitrum Security Council also froze 30,766 ETH of downstream attacker funds, limiting part of the follow-on movement.

Aave Liquidity Shock

The KelpDAO bridge adapter released 116,500 rsETH in a single block, after which the attacker looped collateral across Aave, Compound and Euler for about US$236 million (AU$328.0 million) in WETH and wstETH within 46 minutes.

Aave V3 Ethereum Core available liquidity fell from US$9.77 billion (AU$13.58 billion) to US$5.75 billion (AU$7.99 billion) within 29 hours, according to Glassnode. 

WETH available liquidity dropped from US$689 million (AU$957.7 million) at 5:00 p.m. UTC to US$1.5 million (AU$2.1 million) by 7:00 p.m. UTC on April 18 as utilisation reached 100%.

Glassnode said protocol contracts, oracles and liquidation engines worked as specified, but the episode still exposed how bridge verification failures can cascade into lending-market liquidity stress.