April 2026 Was the Most-Hacked Month for Crypto as Drift and KelpDAO Thefts Top $625 Million

April 2026 became the most-hacked month on record for the cryptocurrency industry by number of incidents, with roughly 28 to 30 exploits and more than $625 million stolen, according to industry tallies cited by The Block and Cointelegraph. The monthly total was reported in the roughly $625 million to $630 million range, with Cointelegraph citing a DeFiLlama figure of $629.7 million.

The losses were heavily concentrated. Two attacks — one on Drift Protocol and another on KelpDAO — accounted for the overwhelming majority of the money stolen in April, or roughly 90% or more depending on which monthly total is used. That made the month notable not just for its scale, but for how the biggest breaches happened: through operational and infrastructure weaknesses rather than straightforward smart-contract coding bugs.

The first major attack hit Drift Protocol on April 1. Drift is a Solana-based decentralized perpetual futures exchange, a type of platform that lets traders bet on crypto price moves using derivatives. Chainalysis said the exploit drained about $285 million.

Drift acknowledged the breach in an X post that began, “This is not an April Fools joke.”

According to Chainalysis, citing Drift’s investigation, the attackers spent months using social engineering to obtain pre-signed Solana transactions that used durable nonces, a mechanism that can keep signatures valid for longer periods. With those valid signatures in hand, the attackers were able to seize admin control, add a fake token as collateral and then drain real assets from the platform. The case stood out because the key weakness was privileged access and transaction handling, not a simple flaw in on-chain code.

The second major exploit came on April 18 at 17:35 UTC and targeted KelpDAO, a liquid restaking protocol that issues rsETH. Aave’s incident report said KelpDAO’s LayerZero-powered rsETH cross-chain route was exploited for 116,500 rsETH, widely valued at about $290 million to $294 million at the time. Multiple outlets and Aave’s reporting put the loss around $293 million.

Aave said the attackers were able to get a forged LayerZero inbound packet accepted on a 1-of-1 DVN configuration for the Unichain-to-Ethereum route. In practical terms, that meant rsETH was released on Ethereum without a corresponding burn on the source chain, breaking the normal accounting that should govern a cross-chain transfer.

The fallout was immediate. In an April 20 incident report, Aave said it froze rsETH and wrapped rsETH, or wrsETH, markets across multiple Aave V3 deployments and adjusted risk settings. LayerZero, the cross-chain messaging protocol used in the route, said the problem was not a general failure of its system but was “isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.”

Both of April’s biggest cases have drawn scrutiny because they point to attack surfaces beyond smart contracts themselves. In Drift’s case, investigators focused on social engineering, pre-signed transactions and the abuse of administrative privileges. In KelpDAO’s case, the issue was verifier design and cross-chain message validation tied to a specific deployment choice. For security analysts, that helped explain why April’s record incident count mattered beyond the headline number: the biggest losses came from weak points in operations and infrastructure that sit around decentralized finance, not just inside the code.

Loss totals for the month vary slightly by source, and attribution in both major incidents remains preliminary. Chainalysis and LayerZero-linked reporting said some indicators were consistent with DPRK-linked actors, but that is not a final legal or law enforcement determination.