April 2026 proved to be an unusual month for the cryptocurrency market. On the surface, overall trading activity remained relatively steady despite significant geopolitical turmoil, but beneath that calm the industry experienced a series of high-profile exploits that eroded investor confidence.
Leading blockchain security firm CertiK reported that crypto-related exploits and incidents in April 2026 resulted in total losses exceeding $650 million.
April Hacks
The largest incidents were led by KelpDAO, which lost $292 million, followed by Drift Protocol at $285.2 million. The Drift Protocol exploit was the culmination of weeks of preparation and months of social engineering to gain access to protocol signers; once access was secured, attackers drained funds in roughly 12 minutes. The KelpDAO breach, by contrast, exploited a single-verifier vulnerability in a LayerZero bridge. After the initial theft, attackers moved funds through THORChain, while more than $70 million tied to the incident was frozen on Arbitrum as part of emergency security measures.
Other notable incidents included Rhea Finance at $18.4 million and Grinex at $16.2 million, among several smaller breaches. By sector, DeFi projects absorbed the lion’s share of losses at $609.3 million. Unverified contracts lost $8.5 million, GameFi projects $3.4 million, bridge-related incidents $2.8 million, and meme-token projects $1.9 million.
Breaking down incidents by type, wallet compromises were responsible for the majority of losses, totaling $611 million. Price manipulation accounted for $18.8 million in thefts, code vulnerabilities for $16.9 million, phishing for $3.5 million, and front-end attacks for about $544.7k.
Fewer Attacks, Higher Financial Impact
According to TRM Labs, North Korean-linked hacking groups were responsible for roughly 76% of all crypto hack losses in 2026 through April. That high proportion did not stem from a larger number of attacks, but from two major incidents that together caused $577 million in losses—amounts that eclipsed other activity. Since 2017, this strategy of conducting relatively few but highly impactful operations has been characteristic of North Korean cybercrime networks.
TRM’s research shows that the share of total crypto theft attributed to these groups has steadily increased: under 10% in 2020–2021, 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The jump in 2025 was driven largely by the Bybit breach, in which $1.46 billion was stolen through a compromised Safe{Wallet} signing interface—the largest recorded crypto hack to date.
The combined losses from the KelpDAO and Drift incidents in 2026 follow a similar pattern. While the number of operations remains relatively small each year, their financial impact continues to grow. Analysts note that the modus operandi is evolving: attacks increasingly rely on sophisticated reconnaissance and social engineering to target critical signing interfaces and bridge components.
TRM’s findings indicate that North Korea’s cumulative crypto theft since 2017 has now topped $6 billion. Security experts warn that threat actors may be leveraging advanced tools, including AI, to refine reconnaissance and social-engineering techniques, enabling more precise and targeted exploits. As a result, defenders and protocol teams must improve operational security, multisig practices, and monitoring of inter-chain bridges to reduce exposure to these high-impact threats.