Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
GateRouter
Smartly choose from 40+ AI models, with 0% extra fees
April 2026 The most destructive month in cryptocurrency history
April 2026 Officially becomes the worst month ever for DeFi security vulnerabilities. According to DefiLlama data, total cryptocurrency losses for April reached $629.69 million, setting a monthly record. DeFi protocols accounted for $614.17 million of the total losses, completely dominating the attack landscape. The scale, speed, and complexity of these attacks shook the core of the entire industry.
Two attacks that caused April’s destruction
These two attacks account for about 95% of April’s total losses.
On April 1st, Drift protocol on Solana lost $285 million. Analysts linked this incident to social engineering attacks associated with North Korea’s “Lazarus Group.” Then on April 18th, Kelp DAO lost between $292 million and $293 million. This vulnerability targeted the LayerZero V2 bridging route configured as a single point of failure.
Both incidents are related to North Korea’s “Lazarus Group” hackers. The vulnerability was not caused by code flaws or aggressive cyber intrusions but resulted from months-long operations combined with social engineering and legitimate protocol actions.
Other losses exacerbated the damage, including $18.4 million lost by Rhea Finance and $15 million stolen from Grinex, bringing the total stolen funds to an alarmingly high historical level.
Contagion effect: how a hacker attack can destroy an ecosystem
On April 18, 2026, during the Kelp DAO vulnerability event, attackers poisoned a single LayerZero verification node, minting 116,500 uncollateralized rsETH, leading to over $600 million in DeFi losses across the industry. The total DeFi locked value (TVL) dropped to a twelve-month low, capital outflows accelerated, involving re-staking, lending, and cross-chain bridge protocols.
Unlike previous hacker incidents mostly targeting a single platform, these recent vulnerabilities effectively weaponized DeFi’s composability. Because assets like rsETH are used as collateral or liquidity, the destruction of at least nine major platforms’ bridging infrastructure triggered almost instant liquidity crises. Major lending protocols, including Aave, were forced to initiate emergency market freezes to prevent further exploitation.
Within the first 48 hours after the attack, over $8.4 billion in deposits left Aave, and the total DeFi TVL across all protocols dropped by more than $13 billion. On April 24 alone, Ethereum experienced $1.6 billion in fund outflows that day.
Compared to previous months’ scale
According to DefiLlama, the $606.2 million total loss in April exceeded the combined total of $165.5 million in the first quarter. This makes April’s losses about 3.7 times the total of January, February, and March.
April’s loss scale sharply contrasts with March. CertiK reported total losses of approximately $59.5 million in March 2026, spread across 145 different incidents. April’s losses concentrated on a few large-scale failures, causing total losses to increase more than tenfold within a month.
Just KelpDAO and Drift Protocol attacks accounted for 95% of April’s losses and 75% of 2026’s total losses, totaling $771.8 million.
Increase in attack frequency by 68% year-over-year
The frequency of hacker incidents has surged dramatically. In the first 4.5 months of 2026, there have been 47 DeFi incidents, compared to 28 in the same period in 2025, a roughly 68% annual growth rate.
Not only the scale but also the complexity has changed. Early DeFi vulnerabilities typically targeted obvious smart contract flaws. Auditors adapted, code reviews improved, and formal verification became standard for major protocols. But attackers are shifting targets. New targets include bridge layers, oracle systems, signature infrastructure, and multi-signature key attack surfaces, which are harder to audit than ordinary smart contracts.
Regulatory response
In this context, regulators are paying close attention. On April 21, SEC Chairman Paul Atkins announced that the agency would soon release an “Innovation Exemption” allowing on-chain trading of tokenized securities within a compliant framework. This followed the March 2026 release of the SEC-CFTC joint token classification law, which categorized most crypto assets as non-securities under law.
Ongoing debates over the CLARITY Act have begun to spotlight stablecoins, sparking concerns about DeFi’s potential impact on traditional finance. In this environment, recent protocol hacker incidents may not only result in capital losses but also turn “DeFi FUD” into a key driver of current market sentiment.
Jefferies has warned that a series of high-profile hacker events could temporarily slow Wall Street’s interest in DeFi tokenization projects, even as institutional funds continue to flow in.
Expert opinions
Ledger’s security head bluntly stated, “2026 is likely to be the worst year for hacker incidents.”
Aave’s risk team is currently simulating two bad debt scenarios depending on the recovery rate of uncollateralized rsETH before market freeze. Aave’s TVL dropped from $26.4 billion to about $18 billion—due to users proactively avoiding risk, leading to $8.45 billion in funds withdrawn, with potential bad debt turning into actual losses.
DeFi’s design inherently places all responsibility on users. No refunds, no fraud protection teams, no account recovery processes. When issues arise, especially in April 2026, things get very bad—no safety net.
Key facts:
Total losses in April 2026: $629.69 million, a monthly record
Specific DeFi protocol losses: $614.17 million
April 1st Drift protocol loss on Solana: $285 million
April 18th Kelp DAO loss on Ethereum: $292–$293 million
Two attacks account for 95% of April’s losses and 75% of 2026’s total losses
April’s losses are 3.7 times the total of the first quarter of 2026
Total DeFi losses so far in 2026: $771.8 million
DeFi hacker incidents in 2026 increased by 68% year-over-year
Aave’s TVL dropped from $26.4 billion within 48 hours after the attack to $18B
Total DeFi TVL decreased by $13 billion within 48 hours
Both major attacks are linked to North Korea’s “Lazarus Group”
March 2026 losses were only $59.5 million
April 2026 has officially become the worst month for DeFi security breaches ever recorded. According to data from DefiLlama, total crypto losses reached $629.69 million across the entire month the highest figure ever recorded in a single month in the history of decentralized finance. DeFi protocols accounted for $614.17 million of total losses, completely dominating the attack landscape. The scale, speed, and sophistication of these attacks have shaken the entire industry to its core.
THE TWO ATTACKS THAT DESTROYED APRIL
Two attacks account for roughly 95% of April's total losses.
Drift Protocol on Solana lost $285 million on April 1. Analysts linked the incident to a social engineering attack connected to North Korea's Lazarus Group. Then on April 18, Kelp DAO lost between $292 and $293 million. The exploit targeted a LayerZero V2 bridge route configured as a single point of failure.
Both incidents have been linked to North Korea's Lazarus Group hackers. The breaches were not caused by code bugs or aggressive cyber intrusions but resulted from months-long operations that combined social engineering with otherwise legitimate actions on the protocols.
Additional losses compounded the damage including an $18.4 million loss at Rhea Finance and a $15 million theft from Grinex bringing the total volume of stolen capital to historically alarming levels.
THE CONTAGION EFFECT HOW ONE HACK DESTROYED THE ECOSYSTEM
The Kelp DAO exploit on April 18, 2026, in which attackers minted 116,500 unbacked rsETH by poisoning a single LayerZero verifier node, catalyzed more than $600 million in sector-wide DeFi losses. Total DeFi TVL collapsed to its lowest point in twelve months, as capital flight accelerated across restaking, lending, and cross-chain bridge protocols.
Unlike historical hacks that often remained isolated to a single platform, these recent breaches effectively weaponized the composability of DeFi. Because assets like rsETH were utilized as collateral or liquidity across at least nine other major platforms, the compromise of a single bridge infrastructure triggered a near-instantaneous liquidity crunch. Major lending protocols, including Aave, were forced to initiate emergency market freezes to prevent further exploitation.
In the initial 48 hours after the attacks, more than $8.4 billion in deposits left Aave, and total DeFi TVL across all protocols dropped by more than $13 billion. Ethereum alone saw $1.6 billion in outflows on April 24 in a single day.
THE SCALE COMPARED TO PREVIOUS MONTHS
According to data from DefiLlama, April's $606.2 million total across 12 incidents has already eclipsed the entire first quarter's $165.5 million combined losses. That makes April roughly 3.7 times larger than January, February, and March put together.
The scale of April's losses stands in sharp contrast to March. CertiK reported approximately $59.5 million in total losses for March 2026, spread across 145 separate incidents. April's losses concentrated around a few large-scale failures pushing the total more than ten times higher in a single month.
Two attacks alone KelpDAO and Drift Protocol account for 95% of April's losses and 75% of 2026's total of $771.8 million.
ATTACK FREQUENCY SURGING 68% YEAR OVER YEAR
Hack frequency is climbing sharply. DeFi recorded 47 incidents in the first 4.5 months of 2026, compared with 28 over the same period in 2025 a roughly 68% year-over-year rise.
What has changed is not just the scale it is the sophistication. Early DeFi exploits typically targeted obvious smart contract bugs. Auditors adapted, code reviews improved, and formal verification became standard for major protocols. But attackers shifted too. The new targets are bridge layers, oracle systems, signing infrastructure, and multisig key holders attack surfaces far harder to audit than a standard smart contract.
REGULATORY RESPONSE
Against this backdrop, regulators are paying close attention. On April 21, SEC Chair Paul Atkins announced that the agency is on the cusp of releasing an "innovation exemption" allowing tokenized securities to trade on-chain for the first time in a compliant framework. This follows a joint SEC-CFTC token taxonomy published in March 2026, which classified most crypto assets as outside securities law entirely.
The ongoing debate around the CLARITY Act is already putting stablecoins under the spotlight, raising concerns around DeFi's potential impact on the traditional financial system. In this context, the recent protocol hacks may be more than just a capital hit "DeFi FUD" could be emerging as a key driver for sentiment this cycle.
Jefferies has already warned that the string of high-profile hacks could temporarily slow Wall Street's appetite for DeFi tokenization projects, even as institutional money continues to arrive.
WHAT THE EXPERTS ARE SAYING
Ledger's head of security stated bluntly: "2026 will most likely be the worst year in terms of hacks, again."
Aave's risk team is now modeling two bad debt scenarios depending on recovery rates for the unbacked rsETH that was used as loan collateral before markets were frozen. Aave's TVL collapsed from $26.4 billion to approximately $18 billion — an $8.45 billion drawdown driven by users de-risking ahead of potential bad debt crystallization.
DeFi, by design, places full responsibility on the user. There are no chargebacks, no fraud protection teams, no account recovery flows. When something goes wrong and in April 2026 things went very wrong there is no safety net.
KEY FACTS:
Total losses in April 2026 $629.69 million highest ever in a single month
DeFi protocol losses specifically $614.17 million of the total
Drift Protocol exploit on April 1 $285 million lost on Solana
Kelp DAO exploit on April 18 — $292 to $293 million lost on Ethereum
Two attacks combined 95% of April's total losses
April losses 3.7 times larger than entire Q1 2026 combined
Total 2026 DeFi losses year-to-date $771.8 million
DeFi hack incidents up 68% year-over-year in 2026
Aave TVL dropped from $26.4B to $18B in 48 hours post-exploit
Total DeFi TVL dropped by $13 billion in 48 hours
Both major attacks linked to North Korea's Lazarus Group
March 2026 losses by comparison only $59.5 million
#DeFiLossesTop600MInApril #DeFi