$606 Million Stolen in 18 Days: How North Korea's Lazarus Group Made April 2026 Crypto's Worst Hack Month in Over a Year

Security Alert · April 2026

$606 Million Stolen in 18 Days — How North Korea's Lazarus Group Made April 2026 Crypto's Worst Hack Month in Over a Year

KelpDAO lost $292M. Drift Protocol lost $285M. DeFi TVL crashed by $13 billion. One state-sponsored hacking group is responsible for both. Here is the complete story.

📰 CryptoInsight Blog 📅 April 30, 2026 ☕ 14 min read 🔒 Security Analysis
Total Stolen
$606.2M
In Just
18 Days
Incidents
12 Hacks
DeFi TVL Drop
−$13B
Attacker
Lazarus
In just 18 days, North Korea's Lazarus Group pulled off two of the largest DeFi exploits in history — back to back. First Drift Protocol on April 1. Then KelpDAO on April 18. Together: $577 million. With 10 smaller hacks filling in the gaps, April 2026 ended with $606.2 million stolen — 3.7 times more than the entire first quarter. This is the story of how it happened, why DeFi security keeps failing, and what must change.

The Scale: Numbers That Should Shock Everyone

Crypto has lived with hacks for as long as it has existed. But April 2026 crossed a threshold that even battle-hardened industry veterans called alarming. According to data tracked by DefiLlama and confirmed by BeInCrypto, $606.2 million was drained from decentralised finance protocols in just 18 days — across 12 separate incidents between April 1 and April 18.

To understand why this number is so extraordinary, consider the context. The entire first quarter of 2026 — all of January, February, and March combined — saw $165.5 million in crypto losses. April alone, in under three weeks, produced 3.7 times that figure. The month's losses push crypto's year-to-date theft total to $771.8 million across 47 incidents — a figure that will almost certainly exceed the full-year 2023 total of approximately $900 million before Q2 ends.

PeriodTotal LossesIncidentsComparison
Q1 2026 (Jan–Mar)$165.5M~35Baseline
April 2026 (18 days)$606.2M123.7× Q1 combined
2026 YTD total$771.8M47+68% vs 2025 pace
KelpDAO (Apr 18)$292M12026's largest hack
Drift Protocol (Apr 1)$285M12026's 2nd largest
Two hacks combined$577M295% of April's losses
February 2025 (Bybit)$1.466B1Largest single month ever

The two headline attacks — Drift Protocol and KelpDAO — account for 95% of April's losses and approximately 75% of everything stolen in crypto in all of 2026 so far. And both share a single culprit.


Attack #1 — The $285 Million Drift Protocol Hack (April 1, 2026)

Attack #1 · April 1, 2026
$285M
Drift Protocol — Solana
Social engineering + oracle manipulation. Six months of infiltration. Lazarus Group's most patient heist yet.
Method
Social Engineering
+ Oracle Manipulation
No code bug exploited. Humans were the vulnerability. A Lazarus agent posed as a developer for months before striking.

Drift Protocol was one of Solana's crown jewels — the largest perpetual futures decentralised exchange on the network, processing over $800 million in daily trading volume before April 1. It was not brought down by a clever piece of malware or an undiscovered smart contract bug. It was brought down by a patient human.

How the Attack Worked

North Korea's Lazarus Group, specifically its TraderTraitor subunit, spent approximately six months infiltrating Drift's organisation. A Lazarus agent posed as a legitimate software developer — passing interviews, completing tasks, building trust, and learning the organisation's internal systems, communication habits, and access controls.

Once inside, the attacker gained admin access and began whitelisting worthless collateral tokens within the protocol's risk engine. Drift's oracle system — which relied on a weighted average of multiple price feeds to calculate mark prices for its perpetual contracts — was then manipulated through a series of low-liquidity trading pairs. The oracle reported false prices. The risk engine accepted them. And the protocol's liquidation mechanisms triggered cascading losses that the attacker had specifically engineered.

🎭 The Social Engineering Playbook
Lazarus Group's TraderTraitor unit has pioneered crypto-sector social engineering. They identify target organisations on LinkedIn, create convincing developer profiles with GitHub histories, pass technical interviews, and embed themselves for months before executing. Smart contract audits — the industry's primary security tool — are completely useless against this attack vector. The vulnerability is human trust.

The $285 million loss happened over several hours on April Fool's Day — a date that, in retrospect, feels darkly ironic. By the time the community understood what had happened, Drift's liquidity was gone and Solana's DeFi ecosystem was in shock.


Attack #2 — The $292 Million KelpDAO Bridge Exploit (April 18, 2026)

Attack #2 · April 18, 2026
$292M
KelpDAO — LayerZero Bridge
2026's single largest crypto hack. A forged cross-chain message. 116,500 rsETH drained in one transaction.
Method
Bridge Forgery
Cross-Chain Exploit
Single-signature bridge approval forged. rsETH minted and drained. Same playbook as the 2022 Ronin Bridge hack — four years later.

Seventeen days after destroying Drift, Lazarus Group struck again — this time on Ethereum, targeting KelpDAO's restaked ETH (rsETH) bridge built on LayerZero's cross-chain messaging infrastructure.

Step-by-Step: How the KelpDAO Exploit Worked

The Attack Sequence
  • Setup: Lazarus Group identified that KelpDAO's LayerZero bridge relied on a single signature to authorise cross-chain transactions — a critical single point of failure
  • Forgery: Attackers crafted and injected a counterfeit authorisation message into the bridge's cross-chain messaging contract
  • Mint: The forged message triggered fraudulent mint instructions, causing the bridge to produce 116,500 rsETH tokens out of thin air
  • Drain: The freshly minted rsETH — representing 18% of the total rsETH supply — was immediately bridged out and liquidated
  • Collateral Abuse: Stolen rsETH was also used as fake collateral on Aave, triggering a wave of cascading liquidations across connected protocols
  • Total Damage: $292–293 million directly stolen, plus over $10 billion in secondary Aave outflows as panicked users rushed to withdraw
"The platform's setup allowed a single signature to approve cross-chain transactions, and once the attacker forged a convincing one, rsETH was minted and drained. This shows that even after four years since the Ronin hack, the weak points haven't changed." — 24/7 Wall St. Security Analysis, April 2026

The eerie parallel to the 2022 Ronin Bridge hack — which also exploited a single-signature verification flaw — is not lost on the industry. The Ronin hack stole $625 million using the same basic mechanic. Four years later, protocols were still deploying bridges with the same vulnerability. The lesson has not been learned.


Lazarus Group: Who They Are and Why They Will Never Stop

To understand why these attacks keep happening at this scale, you have to understand who is behind them. The Lazarus Group is not a typical cybercriminal organisation motivated by personal financial gain. It is a state-sponsored North Korean hacking unit operating under the direction of the Reconnaissance General Bureau — Pyongyang's primary intelligence agency.

Their mission is not profit for its own sake. It is sanctions evasion and weapons programme funding. International sanctions have cut North Korea off from the global financial system, preventing the country from purchasing the components it needs for its nuclear and missile programmes. Cryptocurrency — decentralised, pseudonymous, and globally accessible — has become Pyongyang's primary mechanism for generating hard currency outside the sanctions regime.

🇰🇵 Lazarus Group: A Decade of Crypto Theft
According to Chainalysis, Lazarus Group took approximately 59% of every dollar stolen in crypto globally in 2025. Their documented major heists include: the $1.4 billion Bybit breach (February 2025), the $308 million DMM Bitcoin heist (2024), the $625 million Ronin Bridge attack (2022), and now the $285 million Drift Protocol and $292 million KelpDAO attacks in April 2026. Their cumulative crypto theft over the past decade is estimated in the billions.

What makes Lazarus uniquely dangerous is their operational patience. The group is known to spend three to six months infiltrating a target before executing an attack. They learn an engineer's Slack habits, their GitHub activity, their professional relationships — then exploit that knowledge to gain trust, access, and ultimately control. Smart contract audits, penetration testing, and code reviews are irrelevant against an attacker who is already inside your organisation posing as a trusted colleague.


The Aftermath: $13 Billion TVL Crash and Mass Panic Withdrawals

The financial carnage extended far beyond the directly stolen funds. When news of the KelpDAO exploit spread on April 18, the broader DeFi ecosystem entered panic mode. The cascade effect was immediate and severe.

Protocol / MetricBefore ExploitAfter 48 HoursChange
Aave TVL$26.4B~$17.9B−$8.45B
DeFi Total TVL~$120B+~$107B−7%+ in 24hrs
rsETH Supply647,000 tokensPartially drained−18% minted fraudulently
Connected protocols affected20+Contagion spread
User withdrawals (ratio)~20× hack amountPanic multiplier

The ratio of secondary damage to primary theft is striking: for every dollar Lazarus Group directly stole, DeFi users pulled approximately 20 dollars out of the ecosystem in panic withdrawals. This panic-multiplier effect is one of DeFi's most dangerous structural vulnerabilities — a single hack can trigger a liquidity crisis orders of magnitude larger than the hack itself.

"Every protocol is taking a hit now. DeFi remains a niche market until risk can be properly priced; at this time, we're far from it." — Analyst Ted Pillows, BeInCrypto coverage, April 2026

The Recovery: DeFi United — An Unprecedented Coalition

The scale of the crisis demanded an equally unprecedented response. Within days of the KelpDAO exploit, the DeFi industry assembled what security researchers are calling the largest coordinated recovery effort in the history of decentralised finance.

The DeFi United Coalition

Who Is Involved
  • Aave — Published the technical recovery plan; raised $160M of a $200M recovery fund; coordinating protocol-wide response
  • LayerZero Labs — Pledged 10,000 ETH (~$23M): 5,000 ETH donated to DeFi United, 5,000 ETH to strengthen Aave's liquidity markets
  • Arbitrum Security Council — Froze over 30,000 ETH in attacker-linked wallets; coordinating with law enforcement agencies
  • Consensys, EtherFi, Ethena, Kelp — Contributing technical expertise and capital to the recovery effort
  • Chainalysis — Providing on-chain tracing of stolen funds; confirmed Lazarus Group attribution
  • Target: Recovery of approximately 107,000 rsETH from 7 exploiter addresses across Aave and Compound

As of April 28, Aave's recovery fund stood at $160 million of a $200 million target. Arbitrum's Security Council has frozen a significant portion of the attacker-linked wallets, though the sophisticated nature of North Korean money laundering operations means full recovery remains uncertain. Lazarus Group is known to rapidly convert stolen crypto through mixers, cross-chain bridges, and OTC desks — often within hours of an attack.

✅ What's Been Achieved So Far
Despite the grim totals, the industry response has been faster and more coordinated than any previous DeFi hack recovery. The $160M fund represents real capital committed to making users whole. Arbitrum's wallet freezes are a meaningful step. And the public, transparent nature of the recovery plan — published on-chain and verifiable by anyone — marks a new standard for DeFi crisis management.

Why DeFi Keeps Getting Hacked: The Bridge Problem

Cross-chain bridges have been the single most exploited piece of infrastructure in the entire crypto industry since 2021. According to data compiled by 24/7 Wall St., over $2.8 billion has been drained from bridges — representing roughly 40% of every dollar ever stolen in Web3. April 2026's KelpDAO exploit is the latest chapter in a story that keeps repeating itself.

Why Bridges Are the Fattest Targets in DeFi

Bridges solve a genuine problem: they allow assets to move between different blockchain networks. But the way most bridges solve this problem creates an enormous security vulnerability. To move an asset from Chain A to Chain B, a bridge typically locks the asset on Chain A and mints a representation of it on Chain B. This means the bridge contract on Chain A is essentially a single-address treasury holding enormous amounts of locked capital — with a target painted on it.

🌉 The Three Failures That Enable Every Bridge Hack
1. Single points of failure: Many bridges use minimal validator sets or single-signature schemes — meaning one compromised key unlocks everything.

2. Complex message verification: Cross-chain messages are extremely difficult to validate correctly. Forging one convincing message — as Lazarus did at KelpDAO — can drain the entire pool.

3. Upgrade key concentration: Bridges often rely on small admin teams with upgrade authority. A social engineering attack on one person can unlock admin controls over billions in locked funds.
"Cross-chain bridges have been the single most exploited piece of infrastructure in crypto since 2021, with over $2.8 billion drained from them — roughly 40% of every dollar stolen in Web3. April's $292 million KelpDAO hack worked just like the Ronin Bridge hack four years earlier." — 24/7 Wall St., April 2026

How Institutions Are Responding to the Security Crisis

The April 2026 hack wave has not gone unnoticed on Wall Street. Institutions that have been carefully entering the DeFi space — through tokenisation projects, yield strategies, and structured products — are now reassessing their exposure and timelines.

Jefferies, the investment bank, warned that the "string of marquee hacks could temporarily slow Wall Street's appetite for DeFi tokenization projects." Institutional risk managers, who had been cautiously warming to DeFi's yield opportunities, are now repricing the security premium on DeFi assets — meaning they want higher returns to compensate for the increased attack risk.

At the protocol level, institutional players are implementing emergency rate limits, freezing bridge flows as a precaution, and conducting urgent security reviews of their LayerZero-based infrastructure. Prediction market Polymarket is currently pricing a 100% probability of another $100 million+ crypto hack before year-end 2026 — a grim reflection of the market's expectation that this problem is structural, not episodic.

📋 The Silver Lining: SEC's Innovation Exemption
Despite the hack crisis, the broader regulatory environment in April 2026 remains the most favourable in years. SEC Chair Paul Atkins announced an "innovation exemption" allowing tokenised securities to trade on-chain in a compliant framework — following the joint SEC-CFTC token taxonomy published in March 2026. The message from regulators: we support the technology. The message from April's hacks: the technology still needs to earn that support.

5 Security Lessons Every Crypto Investor Must Know

April 2026's hack wave carries direct lessons for every participant in the crypto ecosystem — from individual investors to protocol developers and institutional allocators.

Lessons from April 2026
  • Bridges are the highest-risk infrastructure in DeFi. If a protocol's yield depends on a cross-chain bridge, understand exactly how that bridge validates messages — and whether it has a single point of failure.
  • Code audits do not protect against human attacks. Drift Protocol's $285M loss had nothing to do with bad code. A person was the vulnerability. Projects need operational security training and personnel vetting as rigorous as their code reviews.
  • Panic is more expensive than the hack itself. For every dollar Lazarus stole, $20 was pulled out of Aave by panicking users. Measured, informed responses to exploits preserve far more value than reactive withdrawal runs.
  • Decentralisation of signing authority is not optional. Single-signature bridge approvals are an unacceptable risk for any protocol handling more than a few million dollars. Multi-sig, time locks, and threshold schemes should be baseline requirements.
  • Lazarus Group is a permanent, state-level adversary. They are not going away. They are funded by a government. They will adapt. The industry must treat North Korean state hackers as a permanent fixture of its threat landscape, not an occasional surprise.

Frequently Asked Questions

How much was stolen in crypto hacks in April 2026? +
Over $606.2 million was stolen from crypto protocols across 12 separate incidents in the first 18 days of April 2026, according to DefiLlama data. This makes April 2026 the worst month for crypto theft since February 2025's Bybit breach, which totalled $1.4 billion. April's losses are 3.7 times larger than the entire first quarter of 2026 combined.
Who hacked KelpDAO in April 2026? +
North Korea's state-sponsored Lazarus Group — specifically its TraderTraitor subunit — was confirmed by Chainalysis as the attacker behind KelpDAO's $292 million LayerZero bridge exploit on April 18, 2026. The attackers forged a single cross-chain authorisation message to drain 116,500 rsETH tokens, representing 18% of the total rsETH supply.
How did the Drift Protocol hack happen? +
Drift Protocol on Solana lost $285 million on April 1, 2026, through a sophisticated social engineering campaign. Lazarus Group spent approximately six months infiltrating the organisation, gained admin access, whitelisted worthless collateral, and then manipulated Drift's oracle price feeds through low-liquidity trading pairs — triggering cascading liquidations that drained the protocol.
What happened to DeFi TVL after the April 2026 hacks? +
DeFi total value locked fell by more than 7% in the 24 hours following the KelpDAO exploit. Aave alone experienced $8.45 billion in outflows over 48 hours, dropping from $26.4 billion to near $17.9 billion. For every dollar hackers stole, DeFi users pulled roughly 20 more dollars out of the system in panic withdrawals — illustrating how a single exploit can trigger losses many times its direct size.
What is the DeFi United recovery fund? +
DeFi United is an Aave-led coalition launched to recover funds lost in the April 2026 KelpDAO hack. It includes Consensys, Arbitrum, LayerZero Labs, EtherFi, Ethena, and Kelp. LayerZero Labs pledged 10,000 ETH (~$23M) to the effort. Arbitrum's Security Council froze over 30,000 ETH in attacker-linked wallets. As of April 28, the fund had raised $160M of a $200M target.
What is Lazarus Group and why do they keep hacking crypto? +
Lazarus Group is a North Korean state-sponsored hacking organisation that uses cryptocurrency theft to fund Pyongyang's weapons programmes and evade international sanctions. They took approximately 59% of every dollar stolen in crypto globally in 2025. Their major heists include the $1.4B Bybit hack (2025), the $308M DMM Bitcoin theft (2024), and the 2022 Ronin Bridge attack. They will not stop because cryptocurrency is North Korea's primary mechanism for generating hard currency outside the global sanctions system.
⚠️ Disclaimer: This article is for informational purposes only. It does not constitute financial, investment, or legal advice. All data sourced from DefiLlama, Chainalysis, BeInCrypto, CoinDesk, 24/7 Wall St., and Phemex Research as of April 30, 2026.

The Industry That Keeps Learning the Same Lesson

$606 million. 18 days. One hacking group funded by a nuclear-armed state. April 2026 should be the month the crypto industry stops treating security as an afterthought. Whether it will be — that is the real question. Stay informed. Understand the risks. And never put more into DeFi than you can afford to lose.

© 2026 CryptoInsight Blog  ·  All Rights Reserved  ·  For informational purposes only

Sources: DefiLlama · Chainalysis · BeInCrypto · CoinDesk · 24/7 Wall St. · Phemex Research · Analytics Insight · SpotedCrypto  ·  April 30, 2026