The week of April 13 did not produce the biggest theft in crypto history. It produced something different. Eleven separate protocols and platforms were targeted across seven distinct attack methods in roughly 72 hours. DNS hijacking, forged bridge proofs, insider extortion, AI-enabled social engineering, oracle manipulation, smart contract bugs, and a fake mobile app laundering route all appeared inside the same news cycle.
No two attackers used the same playbook.
CoW Swap was among the first to flag trouble. The decentralized exchange confirmed a DNS hijacking at 14:54 UTC on April 13, warning users to stop using swap.cow.fi until the team cleared it as safe. Per the official CoW DAO account on X, the CoW Protocol backend and APIs were not touched, though the team paused them as a precaution. No funds were confirmed drained, but the attack method itself stands out: DNS hijacking hits the domain layer, not the contract layer, meaning even technically sound protocols are exposed through their web infrastructure.
Bridge Built to Be Unhackable Gets Hacked
Hyperbridge had a worse day. On April 13, an attacker exploited a vulnerability in the protocol’s Token Gateway, inserting a forged message to seize admin control of the bridged DOT token contract on Ethereum. The team confirmed in their security update that the attacker then minted 1 billion bridged DOT tokens and sold them on a decentralized exchange. Realized losses landed at roughly $237,000 on Ethereum. The root cause, per Hyperbridge’s own post-mortem, was a flaw in the Merkle Mountain Range proof verification code inside the Solidity merkle tree verifier.
The timing drew immediate attention. Hyperbridge had published an April 1 post framing a fictional hack scenario as an April Fools’ joke, describing itself as effectively unhackable. Twelve days later the bridge was paused.
South Korean exchanges Upbit and Bithumb suspended DOT deposits and withdrawals following the incident. Polkadot confirmed via a post on X that native DOT and its parachains were not affected.
Bybit had a different outcome. The exchange’s Group Risk Control team flagged and stopped a series of coordinated fake deposit attacks across multiple chains, blocking potential losses exceeding 1 billion DOT. No funds were incorrectly credited, and no users were affected. Bybit attributed the block to its multi-layered deposit validation system.
Kraken, Zerion, and the Human Layer
The most discussed incident did not involve a smart contract at all. On April 13, Kraken Chief Security Officer Nick Percoco posted a security update to X confirming the exchange was being extorted. Per Percoco’s post on X, a criminal group threatened to release videos of internal Kraken systems showing client data unless the exchange complied with financial demands. Two insider-related access incidents, one traced to February 2025 and one more recent, had exposed data for approximately 2,000 accounts.
“It’s important to start with the most important points: our systems were never breached; funds were never at risk; we will not pay these criminals; we will not ever negotiate with bad actors,” Percoco wrote. Kraken confirmed it is cooperating with law enforcement across multiple jurisdictions.
Zerion disclosed a parallel human-layer breach. A team member was targeted through an AI-enabled social engineering attack linked to a North Korean threat actor. The official Zerion post on X confirmed $100,000 in company funds were taken. No user funds were touched, and the breach was contained through architectural isolation that kept production systems separated from the compromised access. Zerion proactively took down its web app following the discovery.
KuCoin appeared in a separate incident, not as a direct target but as a destination. On-chain tracing by ZachXBT linked $9.5 million in laundered funds to the exchange following a theft enabled by a fraudulent app impersonating Ledger Live in the Apple App Store. The KuCoin insight page acknowledged the fake app discovery and confirmed monitoring. For retail holders, particularly those across African markets where KuCoin is widely used and hardware wallets are a primary custody option, the fake Ledger Live route presents a direct and specific risk.
The Smaller Numbers That Still Matter
Dango reported a $410,000 drain from its insurance fund after an attacker exploited a logic bug in the perps contract. Per the official Dango account on X, the bug allowed anyone to call a donation function without any check that the amount was positive, which let the attacker pull USDC collateral out. A white-hat hacker returned the funds and users were not affected.
Silo Finance disclosed a loss of approximately $392,000, but framed it differently. Per Silo Finance’s post on X, this was not a contract exploit. Every contract performed as designed. The issue was economic: wstUSR stayed priced at $1.00 inside an immutable market while trading well below that in the open market. The oracle configuration could not be updated after the depeg, and the gap was drained.
SubQuery Network confirmed a separate access control failure. Three transactions on April 12 exploited a missing onlyOwner modifier on the setContractAddress() function in the Settings contract on Base. The SubQuery incident report put the unauthorized drainage at 359,614,732 SQT tokens, or roughly $134,000. The team stated full responsibility.
A BSC-based protocol called TMM lost an estimated $1.665 million USDT through a flash loan reserve manipulation attack. Halborn’s post-mortem traced the method: the attacker burned TMM tokens to a dead address, skewed pricing, and swapped roughly 850 million TMM tokens for the USDT profit.
Aethir reported a bridge exploit affecting contracts connecting Ethereum to other chains. The official Aethir security notice on X confirmed all compromised contracts were disconnected, the main ATH supply on Ethereum was fully intact, and user impact was under $90,000. A compensation plan was announced.
MONA, a smaller BSC farming project, was flagged by on-chain monitors at ExVul on X for a burn address accounting manipulation that drained approximately $60,950 in USDT.
What One Week Reveals
The aggregate financial damage across these eleven incidents is well under the headline numbers from earlier 2026 attacks. But the spread of methods is the real data point. DNS infrastructure, bridge proof verification, insider access, AI-accelerated phishing, oracle price feeds, access control gaps, logic bugs, flash loan manipulation, and fake mobile applications all appeared inside the same week.
No single security approach stops all of them. That is the practical problem these incidents collectively demonstrate.
