KelpDAO And Drift Protocol Hacks Drive April 2026 Crypto Losses Past $630 Million
Image: Yellow

KelpDAO And Drift Protocol Hacks Drive April 2026 Crypto Losses Past $630 Million

02 May, 2026.Crypto.18 sources

Key Takeaways

  • April 2026 DeFi hacks exceed $630 million in losses, highest since Feb 2025.
  • KelpDAO and Drift Protocol hacks were the dominant April loss drivers.
  • Bridges, privileged access, and operational failures were the primary attack vectors.

April’s $630M hack toll

Crypto security losses in April 2026 surged past $630 million, reaching the highest level since February 2025, as multiple outlets tied the month’s damage to a small set of large DeFi breaches.

FinanceFeeds reported that “Crypto hack losses surged dramatically in April, crossing $630 million according to data from CertiK,” and said the month was “the most damaging month for the industry since early 2025.”

Image from bloomingbit
bloomingbitbloomingbit

Cryptonews.net and Cointelegraph both pointed to DeFiLlama’s figures, with Cryptonews.net stating “the total value hacked in April so far amounted to $629.7 million,” and Cointelegraph describing “Crypto hack losses top $630M in April, highest since February 2025.”

The Crypto Basic likewise framed April as a peak period, saying “crypto hack losses reaching $630 million in April, the highest since February 2025.”

Across these reports, the concentration of losses was repeatedly linked to KelpDAO and Drift Protocol, with FinanceFeeds citing “approximately $293 million” for Kelp DAO and “around $280 million” for Drift Protocol.

Cointelegraph and Cryptonews.net echoed the same core numbers, with Cointelegraph stating KelpDAO “lost $293 million” and Drift Protocol “suffered a $280 million exploit,” and Cryptonews.net adding that the two incidents accounted for “82% of the monthly losses.”

KelpDAO and Drift

The April spike was driven by two catastrophic incidents: KelpDAO and Drift Protocol, which multiple reports described as high-impact breaches rather than a broad wave of small exploits.

FinanceFeeds said “Notably, the Kelp DAO exploit, which resulted in approximately $293 million in losses, and the Drift Protocol breach, which accounted for around $280 million” together made up “roughly 82% of all funds lost during the month.”

Image from Cointelegraph
CointelegraphCointelegraph

The Crypto Basic similarly reported that “the majority of April’s losses stemmed from two major incidents: KelpDAO, which lost $293 million, and Drift Protocol, which suffered a $280 million exploit,” and added that “Together, these accounted for roughly 82% of total losses.”

Phemex provided additional incident-level detail, writing that “Deux incidents sont responsables de 95 % de ces pertes : Drift Protocol sur Solana (285 M$ le 1er avril) et le pont rsETH de Kelp (292 M$ le 18 avril).”

In its Drift account, Phemex said the attack “a généré des distorsions extrêmes sur trois paires Solana peu liquides” and that the “mark price du BTC-PERP sur Drift s’est écarté de plus de 12 % du marché spot,” triggering “des liquidations en chaîne au profit de l’attaquant.”

For KelpDAO, Phemex described an exploit of the “pont rsETH de Kelp (292 M$)” tied to “une faille de vérification de messages,” where the attacker “a soumis une preuve fictive d’un dépôt massif d’rsETH sur une chaîne puis a retiré les fonds sur l’autre.”

It further said the bridge held “plus de 1,2 Md$ en TVL au moment de l’incident,” and that Kelp’s team offered “une prime de 10 % (29,2 M$) pour la restitution des fonds.”

Other April drains

Beyond KelpDAO and Drift Protocol, outlets described additional April exploits that ranged from multi-chain drains to smaller but still damaging losses.

Source: DeFiLlama The concentration of losses in a handful of large DeFi incidents shows how a small number of attacks can still overwhelm broader security improvements across the sector

CointelegraphCointelegraph

The Crypto Basic said Wasabi Protocol “lost approximately $5.5 million across multiple blockchains,” and it described Sweat Economy as suffering “a rapid exploit that drained $3.46 million in seconds,” adding that “the platform later confirmed that the stolen funds were frozen on MEXC, and recovery efforts are underway.”

Cryptonews.net and Cointelegraph both cited Wasabi and Sweat Economy figures, with Cryptonews.net stating Wasabi “had been drained of around $5.5 million across Ethereum, Base, Blast and Berachain networks,” and Cointelegraph reporting Sweat Economy “reportedly lost $3.46 million, or about 65% of its liquidity pool, in under 30 seconds.”

Cointelegraph also described Aftermath Finance on Sui, saying “the attacker drained about $1.1 million in USDC across 11 transactions in roughly 36 minutes.”

Phemex added a timeline and mechanics for Drift and Kelp, while iProUP described a separate DeFi attack on April 22 involving Volo Protocol on Sui, saying it “resulted in the loss of about $3.5 million” and that it “affected three vaults containing WBTC, XAUm, and USDC.”

iProUP also tied its April totals to earlier disclosed hacks, stating “on April 21 the Kelp DAO hack was disclosed with losses of $292 million, and Drift Protocol, which suffered a $285 million attack on April 1,” and concluded that “losses for the month exceed $580 million.”

Attack methods and defenses

Multiple reports argued that April’s losses reflected a shift in how attacks are carried out, emphasizing “precision strikes” and multi-stage intrusions rather than a steady stream of small bugs.

FinanceFeeds said the month’s impact rose “follows a relatively quiet March to show a massive change in the structure of how attacks are happening across the ecosystem,” and it concluded that attackers were moving “away from frequent, low-value exploits toward fewer, highly targeted breaches capable of draining hundreds of millions in a single strike.”

Image from Cointribune
CointribuneCointribune

Cointelegraph quoted Chainalysis security head Yaniv Nissenboim, saying “What connects these incidents is that well-resourced attackers are finding novel ways to exploit the seams between on-chain protocols and the offchain systems they depend on,” and it listed “compromised remote procedure call (RPC) nodes, breaches of cloud key management systems and long-running social engineering campaigns.”

Cointelegraph also described how “real-time monitoring and automated safeguards are becoming critical,” citing “anomalies such as abnormal minting patterns and cross-chain inconsistencies that can be detected instantly.”

Cryptonews.net similarly reported that Chainalysis head Yaniv Nissenboim told Cointelegraph that attackers are exploiting “the seams between on-chain protocols and the offchain systems they depend on,” and it added that “In many cases, on-chain transactions still appear fully legitimate.”

Cointelegraph included a different perspective from Cyvers co-founder Meir Dolev, who said April’s spike was driven by a small number of “precision strikes,” and it noted that he said the month ranks “among the worst for DeFi hacks in five years.”

Standard Chartered’s Geoffrey Kendrick was also quoted, with Cointelegraph saying “While the recent KelpDAO theft and its impact on AAVE have raised questions around continued DeFi banking growth, we expect growth to remain on track,” and attributing that to a “maturing DeFi industry” putting “solutions in place to reduce vulnerabilities.”

In parallel, Phemex described how Drift’s “coupe-circuits” were “pas calibrés pour des mouvements de prix aussi soudains,” while Kelp’s bridge relied on message verification that failed to correctly validate “Merkle root.”

Broader crypto security and policy

While DeFi hacks dominated April’s headlines, other reports described parallel security and regulatory developments that framed the broader environment for crypto users and institutions.

Losses grew by more than 30% versus 2024, according to the on-chain analytics firm PeckShield

CriptoNoticiasCriptoNoticias

Yellow reported that Ethereum cofounder Vitalik Buterin urged users on April 18 to avoid all eth.limo addresses after the ENS gateway registrar was compromised, writing, “So please do not visit vitalik.eth.limo or other eth.limo pages until they confirm that the situation has returned to normal,” and adding, “The good folks at @eth_limo warned me that there was an attack on their DNS registrar.”

Image from CriptoNoticias
CriptoNoticiasCriptoNoticias

Yellow said the attackers “took control of the team's registrar account,” enabling them to “redirect traffic across the entire *.eth.limo domain,” and it noted that “No user funds have been confirmed lost.”

The Crypto Basic also highlighted regulatory movement in Malaysia, saying “Malaysia has lifted its watchlist status after regulatory talks,” and it quoted Bybit CEO Ben Zhou confirming the update on X and stating the decision followed “constructive” engagement with the Securities Commission Malaysia.

It added that Bybit was “first added to the investor alert list in 2021 for operating without proper authorization” and that it “ceased operations in Malaysia in December 2025 following regulatory pressure.”

On the enforcement side, The Crypto Basic reported that “U.S. authorities reported seizing $500 million in Iranian-linked crypto assets,” and it said Treasury Secretary Scott Bessent disclosed the figure during an interview with Fox Business, linking the seizures to “Operation Economic Fury.”

CriptoNoticias and KultureGeek placed April’s losses in a longer-term pattern of theft and changing tactics, with CriptoNoticias saying total losses tied to crimes involving crypto assets surpassed “USD 4.04 billion” in 2025 and KultureGeek claiming “hackers stole $2.7 billion in crypto” in 2025.

More on Crypto