April has already seen over $600m stolen across DeFi, bridges and wallets, turning security from a protocol‑level concern into a full‑blown market risk premium.

Fresh aggregate figures show that crypto protocols have already lost over $606m to hacks in the first 18 days of April, making it the worst month for exploits since February 2025 and pushing 2026’s year‑to‑date haul above $770m. According to data from DefiLlama at least 13 protocols have been compromised this month, with KelpDAO and Drift Protocol alone accounting for around 95% of April’s losses and roughly 75% of 2026’s total.

KelpDAO, an Ethereum liquid‑staking protocol, suffered an attack on April 18 that drained about 116,500 rsETH, valued at roughly $292m, after an attacker forged cross‑chain messages to trick a LayerZero EndpointV2 bridge contract into releasing reserves. Drift, Solana’s largest decentralized perpetuals exchange, was hit on April 1 in what regional media called a “sophisticated” exploit, losing about $285m in what is now the second‑largest security breach in Solana’s history after the $326m Wormhole hack in 2022.

From contract bugs to AI‑driven social engineering

The latest wave of hacks is not confined to smart‑contract bugs or restaking primitives. Incidents have hit routing and infrastructure layers such as Hyperbridge as well as front‑end and DevOps providers like Vercel, where attackers accessed internal systems and are allegedly shopping stolen data for $2m to fuel “global supply chain attacks.”

On the human side, wallet provider Zerion disclosed that it was targeted by North Korean hackers who used AI‑powered, long‑horizon social‑engineering campaigns to compromise hot‑wallet keys, stealing about $100,000 while leaving user funds and core infrastructure intact. The Security Alliance (SEAL) has identified at least 164 malicious domains tied to the DPRK‑linked group UNC1069, describing its playbook as defined by “patience, precision, and the deliberate weaponization of existing trust relationships.”

Industry data from earlier episodes, such as the $70m hot‑wallet exploit at Singapore‑based exchange Phemex in 2025, had already highlighted North Korea‑linked actors’ tendency to quickly convert stolen USDT and USDC into ETH to evade blacklists, a pattern authorities say continues in 2026.

Market structure reacted in real time as April’s hacks piled up. Between 11:00 and 13:00 UTC on key news days, order books in weaker mid‑cap DeFi names showed classic “capitulation” signatures: single‑session drawdowns of roughly 5–8%, thin bids and a visible rotation into protocols with cleaner security track records. Derivatives venues saw basket funding for DeFi tilt mildly negative while spot liquidity drained, the kind of configuration desks associate with a broad “security tax” on risk assets rather than isolated idiosyncratic shocks.

For traders, that has turned security into an explicit factor: fading leveraged DeFi beta on exploit headlines, staying long centralized venues and volatility‑monetizing infrastructure, and keeping dry powder for forced sellers once bad debt and write‑downs are fully recognized on‑chain.