In just 18 days of April 2026, the DeFi ecosystem recorded more than 12 relevant attacks totaling $606 million in losses. It's the worst number since the Bybit heist in 2025, and four times the total of the first quarter of the year.
The two cases that dominated the month
Drift Protocol — April 1st — $285 million
What looked like an April Fools' joke turned into the largest incident of the year so far. The Solana-based DEX was exploited through pre-signed authorizations hidden in contracts, the result of a social engineering campaign that lasted months.
The investigation attributes the attack to groups linked to North Korea — the same operational profile seen in incidents against Bybit and other exchanges. The modus operandi involves:
- Creation of fake identities of "developers" on LinkedIn and GitHub;
- Team infiltration via remote hiring as freelancers;
- Gradual injection of malicious signatures into the permissions system;
- Synchronized activation of the exploit.
Tether announced a commitment of $147.5 million to lead the protocol recovery plan.
Kelp DAO — April 19th — $293 million
A few weeks later, Kelp DAO surpassed Drift as the largest exploit of 2026. The attack targeted a cross-chain bridge built on LayerZero, draining nearly $300 million in a single Saturday night. Wallets linked to the theft have already begun moving funds through mixing services.
The event triggered a general exodus from DeFi: the aggregated TVL (Total Value Locked) dropped $14 billion in 48 hours, to the lowest level in a year.
Other incidents of the month
- CoW Swap (14/Apr): $1.2 million via domain hijacking, with attackers impersonating employees to the registry.
- Vercel (20/Apr): breach in the web infrastructure provider exposed API keys, forcing crypto projects to rotate credentials en masse.
- Ice Open Network (15/Apr): identity breach involving former partners and user database leak.
Patterns that repeat
Analyzing the attacks together, three vectors dominated the month:
- Long-term social engineering — it's no longer "email phishing". It's months of infiltration.
- Cross-chain bridges — they continue to be the structural weak point of multichain.
- Supply chain — attacking dependencies (Vercel, domain provider) is more lucrative than attacking the final protocol.
The ON3X perspective
Every month like April reinforces why we advocate for the model of crypto custodied by a regulated platform for the majority of users. Self-custody and DeFi have their place — but they require technical knowledge that the average market participant doesn't have. When someone falls into phishing that drains pre-signed authorizations, the user loses everything, and the protocol has no one to turn to.
On platforms like ON3X, asset segregation, regulatory insurance, 24/7 on-chain monitoring, and reporting to authorities are part of the contract. It's not the same risk. It's not the same experience.
For those operating in DeFi: review today the permissions granted to each contract using tools like Revoke.cash. The lesson from April is that old signatures kill.