April 2026 DeFi hacks set a brutal pace. According to DefiLlama, losses across the month totaled approximately $629.7 million spread across more than 25 protocols. Two incidents drive roughly 92% of that number. The rest still adds up to tens of millions across chains and protocol types that rarely make front pages.
This is the full list.
Drift and KelpDAO Took Everything
Drift Protocol on Solana lost $285 million on April 1. Drift disclosed the attack on X, confirming funds were bridged out to Ethereum and NEAR after attackers spent roughly six months running a social engineering campaign. TRM Labs attributed the attack to UNC4736, a North Korean state-sponsored group. Chainalysis published a full post-mortem tracing how durable nonces were used to exploit a compromised security council. Audits had passed. The breach was entirely operational.
KelpDAO followed on April 18 with a $293 million loss. An attacker drained 116,500 rsETH through a LayerZero bridge running a 1-of-1 verifier configuration. One compromised node was enough. Contracts were paused across chains. Halborn’s post-mortem and a Chainalysis breakdown both linked the incident to Lazarus Group activity. Galaxy Research documented the DeFi United recovery plan targeting roughly 107,000 units of excess collateral. We covered how Aave depositors on Base and Arbitrum faced a potential 73% haircut as the fallout spread through lending markets.
Combined, those two attacks account for $578 million. Everything else on this list fills the remaining $51.7 million.
Sui’s Six-Exploit Problem
Volo Vault lost $3.5 million on April 21 when a private key compromise cleared three separate audits without detection. We broke down how that happened here. Recovery has moved fast. Volo posted Recovery Update #6 on X on April 30 confirming all recovered funds now sit in a transparent wallet under volo.sui:
“All recovered funds are now parked in a transparent wallet under volo.sui… We are targeting to open deposits and withdrawals for all vaults (except XAUm and LayerZero WBTC) before May 1st.”
Scallop lost $150,000 on April 27 to a bug that had sat undetected in a deprecated contract for 17 months. That full story is covered here. Aftermath Finance was drained of $1.14 million on April 29 through a negative fee accounting flaw on Sui perpetuals. The attacker sent stolen funds directly to KuCoin. Aftermath paused the protocol and posted on X, committing to full user compensation. We reported on the KuCoin routing here.
Three exploits on a single chain in roughly two weeks. Add Pawtato in January, Typus in October 2025, and Nemo in September 2025, and the count reaches six.
The account @ourcryptotalk on X was direct about what that pattern signals:
“Six exploits from one ecosystem. A chain that requires heroic post-incident response every six weeks has already lost the plot. You cannot build a multi-year bull thesis on protocols that survive by reimbursing users out of pocket.”
That same account had published a longer thread on X laying out why SUI may never reclaim its January 2025 all-time high of $5.35. The core argument: 61% of all SUI remains locked, with 42 to 53 million tokens unlocking monthly through 2030. On April 1 alone, 53.4 million tokens hit circulation. SUI’s TVL peaked at $2.57 billion in late 2025 then collapsed to $573 million by March 2026, a 78% drop. Solana’s DeFi TVL sits above $10 billion.
The @Community_Sui account on X framed the situation similarly:
“The tokenomics told a different story, working against the price and leading to a significant decline. We see this as a cautionary tale.”
Rhea, Grinex, and the Mid-Month Damage
Rhea Finance on NEAR lost $18.4 million on April 16 through a slippage and margin trading flaw. It stands out as the month’s clearest recovery story. The team posted a detailed update on X confirming roughly $18 million recovered through user returns, Tether freezes, and ecosystem coordination. A $400,000 shortfall remains. The team committed to covering it. QuillAudits published a full analysis of the vulnerability.
Grinex, a sanctioned Russia-linked exchange, lost $15 million on April 16 in a hot wallet hack. Operations were suspended the same day. Elliptic tracked how funds were moved through TRON and Ethereum and converted. Reuters reported the exchange blamed foreign intelligence. No meaningful recovery has followed.
Purrlend lost $1.5 million on April 25 in an exploit spanning HyperEVM and MegaETH. Attacker wallets were identified. GoPlus Security flagged the activity on X. No major recovery was reported. Community voices called it a rug. We covered the inside-job theory here.
The Protocols Nobody Wrote About
Hyperbridge lost $2.5 million on April 12 through a fake state proof attack. Aethir was drained of $423,000 on April 9 via an access control flaw. Dango lost $410,000 on April 13 through a donate-negative-amounts exploit. Silo V2 lost $392,000 on April 3 from a misconfigured oracle. BSC TMM/USDT lost $1.67 million on April 4 via reserve manipulation.
SweatEconomy lost roughly $3 million on April 29. Blockaid issued an alert on X with transaction details and flagged the attacker address. Giddy lost $1.3 million. LML/USDT staking was drained of $950,000.
Zerion Wallet lost $100,000 on April 14 through a hot wallet compromise via social engineering. SubQuery Network lost $60,000 on April 12 via an access control flaw. MONA lost $60,950 on April 13. Judao was hit for $228,000 on April 28 in a flashloan exploit. Singularity Finance lost $413,000. ZetaChain lost $300,000. Juicebox V3 lost $52,000 on April 20 through a borrowFrom spoof attack. Thetanuts Finance lost $50,000 the same day in a first depositor attack. Kipseli lost $80,000. Scallop’s $150,000 is already noted above.
Every incident above is tracked on DefiLlama’s hacks dashboard.
