The cryptocurrency industry suffered its worst month for security breaches in more than a year during April 2026, with total losses from hacks reaching $630 million across 25 separate incidents. The figure, compiled by DeFiLlama, surpasses every monthly total recorded since February 2025, when losses peaked at $1.47 billion, and underscores the persistent vulnerability of decentralized finance protocols to sophisticated, large-scale attacks.

Two Exploits Account for the Majority of Losses

Two incidents dominated the month's losses. Restaking platform KelpDAO was exploited for $293 million, while derivatives protocol Drift Protocol suffered a $280 million breach. Together, the two attacks accounted for approximately 82% of April's total hack losses. Security firm Hacken attributed both incidents to actors linked to the Democratic People's Republic of Korea, which has been widely associated with state-sponsored cryptocurrency theft campaigns targeting exchanges and DeFi protocols.

Cyvers co-founder Meir Dolev described April's spike as driven by a small number of precision strikes, with attackers increasingly targeting high-liquidity protocols. He said the month ranks among the worst for DeFi hacks in five years, with losses driven by social engineering and cross-chain complexity.

Attackers Shift Focus to Offchain Infrastructure

Yaniv Nissenboim, head of security solutions at Chainalysis, told Cointelegraph that April's spike reflects a broader shift toward more sophisticated, multi-stage attacks targeting offchain infrastructure rather than smart contract vulnerabilities. Entry points increasingly include compromised remote procedure call nodes, breaches of cloud key management systems and long-running social engineering campaigns. In many cases, onchain transactions continue to appear fully legitimate even as the underlying infrastructure has already been compromised.

Nissenboim said real-time monitoring and automated safeguards are becoming critical, citing anomalies such as abnormal minting patterns and cross-chain inconsistencies that can be detected instantly. In one case, rapid detection helped prevent a second theft of roughly $95 million during the KelpDAO incident.

Smaller Protocols Also Targeted Across Multiple Chains

Beyond the two headline incidents, a series of smaller attacks further illustrated the breadth of the threat landscape. DeFi derivatives platform Wasabi Protocol was drained of approximately $5.5 million across Ethereum, Base, Blast and Berachain networks in an ongoing exploit. Move-to-earn platform Sweat Economy reportedly lost $3.46 million, or about 65% of its liquidity pool, in under 30 seconds, though the protocol later confirmed that stolen funds were frozen on exchange MEXC shortly after the incident. Aftermath Finance, a Sui blockchain-based trading platform, suffered a $1.1 million loss across 11 transactions in roughly 36 minutes.

Industry Analysts Urge Structural Security Improvements

Despite the severity of April's losses, some analysts cautioned against drawing overly pessimistic conclusions about the long-term trajectory of DeFi. Standard Chartered analysts led by Geoffrey Kendrick said the KelpDAO incident is a sign of DeFi's growing resilience rather than a fatal failure for the sector. The bank noted that a maturing DeFi industry is expected to put solutions in place to reduce vulnerabilities, and that growth in DeFi banking is expected to remain on track.

The concentration of losses in a handful of large incidents shows how a small number of attacks can still overwhelm broader security improvements across the sector. As attackers grow more sophisticated in their methods, the industry faces mounting pressure to address vulnerabilities not just in smart contracts, but across the full stack of infrastructure that underpins decentralized finance.