April DeFi hacks hit $635M

DeFi security had a brutal April. Two giant attacks — one on Drift Protocol, one on KelpDAO — did most of the damage, and together they pushed monthly crypto hack losses to roughly $630 million. That matters because these were not the usual “someone found a coding mistake” stories. One attack started with people getting socially engineered over months. The other seems to have broken the trust assumptions around a cross-chain bridge. Basically, the weak point was the plumbing around the contracts, not just the contracts themselves. ### What actually blew up in April? Drift got hit first, on April 1, in an exploit worth about $280 million to $285 million. Then KelpDAO got hit on April 18, losing about $292 million to $293 million in rsETH through its bridge setup. Put those together and you get roughly $577 million from just two incidents — almost the whole month’s damage by themselves. ### Why is Drift different from a normal hack? Turns out Drift’s own postmortem points to a long social-engineering campaign, not a smash-and-grab code exploit. The attackers reportedly spent around six months building trust, posing as a trading firm, meeting contributors at conferences, and even putting more than $1 million of their own capital into a Drift vault as cover. That is less “found a bug” and more “ran an intelligence operation.” ### What happened at KelpDAO? KelpDAO looks even more like a bridge-trust failure than a pure smart-contract failure. Chainalysis says attackers linked to Lazarus compromised internal RPC nodes, disrupted outside nodes, and fed false data into a single-point verification path, which let them release about 116,500 rsETH against a burn that never happened. The contract saw a valid-looking message and obeyed it. That’s the scary part. ### Why do bridges keep showing up here? Because bridges are where blockchains have to trust messages from somewhere else. If that verification path is weak, the bridge can mint or release assets that should not exist — like a bank honoring a forged wire confirmation. KelpDAO’s exploit was tied to a LayerZero-powered bridge path, and the fallout spread beyond Kelp because rsETH was used across other protocols. ### Why did the damage spread past the hacked protocols? DeFi is stacked. One token sits inside another protocol, which sits inside lending markets, which sits inside collateral systems. After the KelpDAO attack, Aave froze rsETH markets and broader DeFi TVL dropped sharply as users pulled funds. The Block said Aave saw about a $10 billion outflow amid bad-debt fears, which shows how one bridge failure can hit the whole neighborhood fast. ### Is North Korea really at the center of this? That is where the public evidence is pointing. Chainalysis tied the KelpDAO exploit to Lazarus, and Drift plus outside investigators said they had medium-high confidence that North Korea-aligned actors were behind Drift too. TRM’s April tally said North Korean actors accounted for 76% of crypto hack losses in 2026 through April. ### So what changed after these hacks? The lesson is getting harsher. Protocols can harden contracts all day, but if the signer setup, bridge verifier, node infrastructure, or human access path is weak, the money is still exposed. April’s losses shoved cross-chain security, operational security, and dependency risk back to the top of the DeFi agenda. a reminder that DeFi’s biggest failures are no longer just code bugs. They are system failures — people, bridges, validators, and reused collateral all tangled together. That makes the next security race less about cleaner Solidity and more about whether protocols can stop trusting brittle off-chain machinery with on-chain money.