$606 Million Stolen in 18 Days — How North Korea's Lazarus Group Made April 2026 Crypto's Worst Hack Month in Over a Year
KelpDAO lost $292M. Drift Protocol lost $285M. DeFi TVL crashed by $13 billion. One state-sponsored hacking group is responsible for both. Here is the complete story.
The Scale: Numbers That Should Shock Everyone
Crypto has lived with hacks for as long as it has existed. But April 2026 crossed a threshold that even battle-hardened industry veterans called alarming. According to data tracked by DefiLlama and confirmed by BeInCrypto, $606.2 million was drained from decentralised finance protocols in just 18 days — across 12 separate incidents between April 1 and April 18.
To understand why this number is so extraordinary, consider the context. The entire first quarter of 2026 — all of January, February, and March combined — saw $165.5 million in crypto losses. April alone, in under three weeks, produced 3.7 times that figure. The month's losses push crypto's year-to-date theft total to $771.8 million across 47 incidents — a figure that will almost certainly exceed the full-year 2023 total of approximately $900 million before Q2 ends.
| Period | Total Losses | Incidents | Comparison |
|---|---|---|---|
| Q1 2026 (Jan–Mar) | $165.5M | ~35 | Baseline |
| April 2026 (18 days) | $606.2M | 12 | 3.7× Q1 combined |
| 2026 YTD total | $771.8M | 47 | +68% vs 2025 pace |
| KelpDAO (Apr 18) | $292M | 1 | 2026's largest hack |
| Drift Protocol (Apr 1) | $285M | 1 | 2026's 2nd largest |
| Two hacks combined | $577M | 2 | 95% of April's losses |
| February 2025 (Bybit) | $1.466B | 1 | Largest single month ever |
The two headline attacks — Drift Protocol and KelpDAO — account for 95% of April's losses and approximately 75% of everything stolen in crypto in all of 2026 so far. And both share a single culprit.
Attack #1 — The $285 Million Drift Protocol Hack (April 1, 2026)
Drift Protocol was one of Solana's crown jewels — the largest perpetual futures decentralised exchange on the network, processing over $800 million in daily trading volume before April 1. It was not brought down by a clever piece of malware or an undiscovered smart contract bug. It was brought down by a patient human.
How the Attack Worked
North Korea's Lazarus Group, specifically its TraderTraitor subunit, spent approximately six months infiltrating Drift's organisation. A Lazarus agent posed as a legitimate software developer — passing interviews, completing tasks, building trust, and learning the organisation's internal systems, communication habits, and access controls.
Once inside, the attacker gained admin access and began whitelisting worthless collateral tokens within the protocol's risk engine. Drift's oracle system — which relied on a weighted average of multiple price feeds to calculate mark prices for its perpetual contracts — was then manipulated through a series of low-liquidity trading pairs. The oracle reported false prices. The risk engine accepted them. And the protocol's liquidation mechanisms triggered cascading losses that the attacker had specifically engineered.
The $285 million loss happened over several hours on April Fool's Day — a date that, in retrospect, feels darkly ironic. By the time the community understood what had happened, Drift's liquidity was gone and Solana's DeFi ecosystem was in shock.
Attack #2 — The $292 Million KelpDAO Bridge Exploit (April 18, 2026)
Seventeen days after destroying Drift, Lazarus Group struck again — this time on Ethereum, targeting KelpDAO's restaked ETH (rsETH) bridge built on LayerZero's cross-chain messaging infrastructure.
Step-by-Step: How the KelpDAO Exploit Worked
- Setup: Lazarus Group identified that KelpDAO's LayerZero bridge relied on a single signature to authorise cross-chain transactions — a critical single point of failure
- Forgery: Attackers crafted and injected a counterfeit authorisation message into the bridge's cross-chain messaging contract
- Mint: The forged message triggered fraudulent mint instructions, causing the bridge to produce 116,500 rsETH tokens out of thin air
- Drain: The freshly minted rsETH — representing 18% of the total rsETH supply — was immediately bridged out and liquidated
- Collateral Abuse: Stolen rsETH was also used as fake collateral on Aave, triggering a wave of cascading liquidations across connected protocols
- Total Damage: $292–293 million directly stolen, plus over $10 billion in secondary Aave outflows as panicked users rushed to withdraw
The eerie parallel to the 2022 Ronin Bridge hack — which also exploited a single-signature verification flaw — is not lost on the industry. The Ronin hack stole $625 million using the same basic mechanic. Four years later, protocols were still deploying bridges with the same vulnerability. The lesson has not been learned.
Lazarus Group: Who They Are and Why They Will Never Stop
To understand why these attacks keep happening at this scale, you have to understand who is behind them. The Lazarus Group is not a typical cybercriminal organisation motivated by personal financial gain. It is a state-sponsored North Korean hacking unit operating under the direction of the Reconnaissance General Bureau — Pyongyang's primary intelligence agency.
Their mission is not profit for its own sake. It is sanctions evasion and weapons programme funding. International sanctions have cut North Korea off from the global financial system, preventing the country from purchasing the components it needs for its nuclear and missile programmes. Cryptocurrency — decentralised, pseudonymous, and globally accessible — has become Pyongyang's primary mechanism for generating hard currency outside the sanctions regime.
What makes Lazarus uniquely dangerous is their operational patience. The group is known to spend three to six months infiltrating a target before executing an attack. They learn an engineer's Slack habits, their GitHub activity, their professional relationships — then exploit that knowledge to gain trust, access, and ultimately control. Smart contract audits, penetration testing, and code reviews are irrelevant against an attacker who is already inside your organisation posing as a trusted colleague.
The Aftermath: $13 Billion TVL Crash and Mass Panic Withdrawals
The financial carnage extended far beyond the directly stolen funds. When news of the KelpDAO exploit spread on April 18, the broader DeFi ecosystem entered panic mode. The cascade effect was immediate and severe.
| Protocol / Metric | Before Exploit | After 48 Hours | Change |
|---|---|---|---|
| Aave TVL | $26.4B | ~$17.9B | −$8.45B |
| DeFi Total TVL | ~$120B+ | ~$107B | −7%+ in 24hrs |
| rsETH Supply | 647,000 tokens | Partially drained | −18% minted fraudulently |
| Connected protocols affected | — | 20+ | Contagion spread |
| User withdrawals (ratio) | — | ~20× hack amount | Panic multiplier |
The ratio of secondary damage to primary theft is striking: for every dollar Lazarus Group directly stole, DeFi users pulled approximately 20 dollars out of the ecosystem in panic withdrawals. This panic-multiplier effect is one of DeFi's most dangerous structural vulnerabilities — a single hack can trigger a liquidity crisis orders of magnitude larger than the hack itself.
The Recovery: DeFi United — An Unprecedented Coalition
The scale of the crisis demanded an equally unprecedented response. Within days of the KelpDAO exploit, the DeFi industry assembled what security researchers are calling the largest coordinated recovery effort in the history of decentralised finance.
The DeFi United Coalition
- Aave — Published the technical recovery plan; raised $160M of a $200M recovery fund; coordinating protocol-wide response
- LayerZero Labs — Pledged 10,000 ETH (~$23M): 5,000 ETH donated to DeFi United, 5,000 ETH to strengthen Aave's liquidity markets
- Arbitrum Security Council — Froze over 30,000 ETH in attacker-linked wallets; coordinating with law enforcement agencies
- Consensys, EtherFi, Ethena, Kelp — Contributing technical expertise and capital to the recovery effort
- Chainalysis — Providing on-chain tracing of stolen funds; confirmed Lazarus Group attribution
- Target: Recovery of approximately 107,000 rsETH from 7 exploiter addresses across Aave and Compound
As of April 28, Aave's recovery fund stood at $160 million of a $200 million target. Arbitrum's Security Council has frozen a significant portion of the attacker-linked wallets, though the sophisticated nature of North Korean money laundering operations means full recovery remains uncertain. Lazarus Group is known to rapidly convert stolen crypto through mixers, cross-chain bridges, and OTC desks — often within hours of an attack.
Why DeFi Keeps Getting Hacked: The Bridge Problem
Cross-chain bridges have been the single most exploited piece of infrastructure in the entire crypto industry since 2021. According to data compiled by 24/7 Wall St., over $2.8 billion has been drained from bridges — representing roughly 40% of every dollar ever stolen in Web3. April 2026's KelpDAO exploit is the latest chapter in a story that keeps repeating itself.
Why Bridges Are the Fattest Targets in DeFi
Bridges solve a genuine problem: they allow assets to move between different blockchain networks. But the way most bridges solve this problem creates an enormous security vulnerability. To move an asset from Chain A to Chain B, a bridge typically locks the asset on Chain A and mints a representation of it on Chain B. This means the bridge contract on Chain A is essentially a single-address treasury holding enormous amounts of locked capital — with a target painted on it.
2. Complex message verification: Cross-chain messages are extremely difficult to validate correctly. Forging one convincing message — as Lazarus did at KelpDAO — can drain the entire pool.
3. Upgrade key concentration: Bridges often rely on small admin teams with upgrade authority. A social engineering attack on one person can unlock admin controls over billions in locked funds.
How Institutions Are Responding to the Security Crisis
The April 2026 hack wave has not gone unnoticed on Wall Street. Institutions that have been carefully entering the DeFi space — through tokenisation projects, yield strategies, and structured products — are now reassessing their exposure and timelines.
Jefferies, the investment bank, warned that the "string of marquee hacks could temporarily slow Wall Street's appetite for DeFi tokenization projects." Institutional risk managers, who had been cautiously warming to DeFi's yield opportunities, are now repricing the security premium on DeFi assets — meaning they want higher returns to compensate for the increased attack risk.
At the protocol level, institutional players are implementing emergency rate limits, freezing bridge flows as a precaution, and conducting urgent security reviews of their LayerZero-based infrastructure. Prediction market Polymarket is currently pricing a 100% probability of another $100 million+ crypto hack before year-end 2026 — a grim reflection of the market's expectation that this problem is structural, not episodic.
5 Security Lessons Every Crypto Investor Must Know
April 2026's hack wave carries direct lessons for every participant in the crypto ecosystem — from individual investors to protocol developers and institutional allocators.
- Bridges are the highest-risk infrastructure in DeFi. If a protocol's yield depends on a cross-chain bridge, understand exactly how that bridge validates messages — and whether it has a single point of failure.
- Code audits do not protect against human attacks. Drift Protocol's $285M loss had nothing to do with bad code. A person was the vulnerability. Projects need operational security training and personnel vetting as rigorous as their code reviews.
- Panic is more expensive than the hack itself. For every dollar Lazarus stole, $20 was pulled out of Aave by panicking users. Measured, informed responses to exploits preserve far more value than reactive withdrawal runs.
- Decentralisation of signing authority is not optional. Single-signature bridge approvals are an unacceptable risk for any protocol handling more than a few million dollars. Multi-sig, time locks, and threshold schemes should be baseline requirements.
- Lazarus Group is a permanent, state-level adversary. They are not going away. They are funded by a government. They will adapt. The industry must treat North Korean state hackers as a permanent fixture of its threat landscape, not an occasional surprise.
Frequently Asked Questions
The Industry That Keeps Learning the Same Lesson
$606 million. 18 days. One hacking group funded by a nuclear-armed state. April 2026 should be the month the crypto industry stops treating security as an afterthought. Whether it will be — that is the real question. Stay informed. Understand the risks. And never put more into DeFi than you can afford to lose.


