North Korea-linked hacks, 20+ DeFi exploits drain $625M

Hackers linked to North Korea and multiple other actors stole more than $625 million across more than 20 separate attacks in April 2026, blockchain records show. The month included nearly one incident per day and two large breaches that accounted for most of the losses.

On April 1, Drift Protocol lost about $285 million after attackers who had built trust with staff used pre-signed withdrawal instructions to move funds in roughly 12 minutes. On April 18, KelpDAO lost roughly $293 million when attackers induced the system to release tokens with no real backing and then used those tokens as collateral to borrow real assets.

The KelpDAO theft had wider effects on decentralized finance. Attackers deposited the stolen tokens as collateral on Aave and borrowed about $190 million in ether, leaving Aave holding effectively valueless collateral. Aave’s deposits fell from $26.4 billion to about $17.9 billion within 48 hours. Stablecoin pools on the platform reached full utilization, and estimates of Aave’s bad debt ranged between $123.7 million and $230 million. More than $13 billion exited DeFi protocols in the days after the KelpDAO incident, and several platforms froze functions to stem outflows.

Smaller incidents also occurred throughout April. Rhea Finance lost $18.4 million on April 10; Tether later froze $3.29 million of those funds. A Kyrgyzstan-based exchange, Grinex, had $13.74 million in USDT drained on April 15, with the attacker moving funds across dozens of wallets and converting them into obscure tokens. Hyperbridge lost about $2.5 million on the Polkadot network, CoW Swap reported a $1.2 million loss on April 14, and Wasabi Protocol lost roughly $5 million on April 30 after an attacker used a compromised deployment key. An on-chain analyst using the handle Wazz wrote that “Hundreds of wallets (many of which haven’t been active in 7+ years) just got drained by the same address on ETH mainnet,” adding that it appeared to be a live exploit.

Investigations and blockchain intelligence attribute a large share of April’s losses to state-backed North Korean hacking units. TRM Labs reports that about 75% of crypto hack losses through April 2026-roughly $577 million of $759 million total-were linked to government-backed North Korean actors. TRM Labs also notes that North Korea has taken more than $6 billion in crypto since 2017.

Ari Redbord, global head of policy and government affairs at TRM Labs, warned, “What we are watching is not a North Korean campaign that is broader — it is one that is sharper.”

Responses from the ecosystem included emergency actions and collective funding. The Arbitrum Security Council used emergency powers to freeze about $71 million of attacker funds after the KelpDAO incident, and more than a dozen organizations pledged over $300 million to a DeFi rescue fund. Analysts estimating continued attack rates project potential additional losses of roughly $7.5 billion in the coming months if defensive measures and behavior do not change.

Security teams and on-chain investigators continue to examine the incidents and trace stolen funds, while protocols evaluate emergency controls and governance procedures to limit further losses.