The decentralized finance sector has recorded its worst month for security breaches in more than a year, with losses from crypto hacks reaching $629.7 million in April 2026 across 25 separate incidents. The figure represents the highest monthly total since February 2025, when $1.47 billion was stolen in a period dominated by the Bybit exchange breach.

Two Exploits Drive the Majority of Losses

Two incidents dominated the monthly total. KelpDAO, a restaking platform, suffered a $293 million exploit, while Drift Protocol, a DeFi derivatives exchange, lost $280 million in a separate breach. Together, the two attacks accounted for 82% of April's total losses, according to data from DeFiLlama.

Smaller incidents compounded the damage. Wasabi Protocol, a DeFi derivatives platform, was drained of approximately $5.5 million across Ethereum, Base, Blast and Berachain networks in an ongoing exploit flagged by security firm CertiK. Sweat Economy, a move-to-earn platform, lost $3.46 million representing roughly 65% of its liquidity pool in under 30 seconds, though the protocol later confirmed that stolen funds were frozen on the MEXC exchange. Aftermath Finance, a Sui-based trading platform, lost approximately $1.1 million in USDC across 11 transactions in 36 minutes.

Attackers Shift Focus to Off-Chain Infrastructure

Security analysts say April's spike reflects a structural shift in how sophisticated attackers approach DeFi protocols. Rather than exploiting smart contract code directly, threat actors are increasingly targeting the off-chain systems that protocols depend on, including remote procedure call nodes, cloud key management systems and human access layers.

"What connects these incidents is that well-resourced attackers are finding novel ways to exploit the seams between on-chain protocols and the off-chain systems they depend on," said Yaniv Nissenboim, head of security solutions at Chainalysis. He noted that in many cases, on-chain transactions appeared fully legitimate even as the underlying infrastructure had already been compromised.

Nissenboim added that real-time monitoring and automated safeguards are becoming critical tools for protocol defense, citing the detection of abnormal minting patterns and cross-chain inconsistencies during the KelpDAO incident. Rapid detection in that case helped prevent a second theft of approximately $95 million.

State-Linked Actors Suspected in Largest Breaches

Blockchain security firm Hacken said April marked the worst month on record for DeFi losses, attributing the largest attacks to actors linked to the Democratic People's Republic of Korea. North Korean-affiliated groups have been widely associated with a series of high-value crypto theft campaigns targeting exchanges and DeFi protocols over recent years.

Cyvers co-founder Meir Dolev described the month's losses as the result of a small number of precision strikes against high-liquidity protocols, driven by social engineering and cross-chain complexity. He said the month ranks among the worst for DeFi hacks in five years.

Analysts Say DeFi Growth Trajectory Remains Intact

Despite the scale of the losses, analysts at Standard Chartered offered a more measured assessment. In a research note, the bank's digital assets team led by Geoffrey Kendrick said the KelpDAO incident should be viewed as a sign of DeFi's growing resilience rather than a fundamental failure of the sector.

"While the recent KelpDAO theft and its impact on AAVE have raised questions around continued DeFi banking growth, we expect growth to remain on track as a maturing DeFi industry puts solutions in place to reduce vulnerabilities," the bank said. The assessment reflects a broader view among institutional observers that security incidents, while damaging, are prompting the sector to build more robust defenses rather than retreat from decentralized finance altogether.