April sets record for number of crypto hacks

April recorded a monthly high in the number of crypto hacks, with more than 20 separate incidents targeting decentralized finance platforms. DeFi analytics firm DeFi Llama flagged April as the most-hacked month on record by incident count, and an independent tracker tallied 24 incidents by late April with estimated combined losses above $600 million.

While the month did not exceed prior peaks in total dollars stolen, it included some of the largest single attacks this year. KelpDAO lost about $292 million in the biggest reported April incident. Drift Protocol suffered an exploit on April 1 that drained roughly $280 million.

KelpDAO’s breach created contagion concerns for lending markets. Lending protocol Aave arranged emergency liquidity support, and multiple organizations provided loans and donations to cover shortfalls and reduce the risk of cascading liquidations.

Drift described its breach as a “structured intelligence operation” that took roughly six months to stage. Security teams and project personnel reported that several high-value incidents resulted from social engineering and compromised administrative credentials rather than exploitable smart contract code.

Other attacks used technical weaknesses. Hyperbridge lost about $2.5 million after a Token Gateway exploit on a Polkadot-native protocol. Investigators found the attacker first withdrew roughly 245 ETH, then used a forged cross-chain message that bypassed Merkle Mountain Range proof verification to mint about 1 billion bridged DOT tokens and sell them.

An on-chain analyst flagged a separate pattern on Ethereum mainnet late in the month: hundreds of wallets, many inactive for seven years or more, were drained by the same address. The activity was described as a new live exploit.

DeFi Llama emphasized the unusually high incident count. A crypto commentator wrote on X: “The number of incidents tells one story. The method tells another.” Several security teams reported that compromises of admin keys and credential theft were common factors in multiple incidents.

Responses varied by project. Some protocols issued emergency proposals, rotated access keys and increased monitoring of cross-chain traffic. On-chain analytics firms expanded real-time tracking and alerts to flag suspicious transactions and wallet drains.

DeFi has repeatedly faced attacks on bridges, permissioned admin functions and oracle systems. April’s spike in incident count reflected a mix of automated code exploits and human-targeted operations across multiple protocols.