April 2026 has become the most exploited month in crypto history by incident count, with roughly 28 to 30 attacks draining more than $625 million from DeFi protocols, while new data from TRM Labs reveals that North Korean-linked hackers were responsible for approximately 76 percent of all crypto theft losses recorded so far this year.
The numbers are difficult to frame as anything other than a crisis. Data from DeFiLlama shows that April ended with somewhere between 28 and 30 confirmed exploits, making it the single worst month the crypto industry has recorded in terms of attack frequency. The dollar figure attached to that is more than $625 million. The two largest incidents, Drift Protocol and KelpDAO, accounted for the bulk of the damage, but the sheer number of separate attacks across the month tells a more uncomfortable story than any single headline loss. This was not one catastrophic vulnerability. It was a sustained, broad-based assault on an ecosystem that has not yet built defenses commensurate with the capital it holds.
The TRM Labs data adds a dimension that moves this beyond the usual DeFi exploit narrative. According to the firm's reporting, North Korean state-affiliated hackers were behind roughly 76 percent of all crypto hack losses recorded in 2026 to date. That figure deserves a moment of consideration. The dominant force in crypto theft right now is not opportunistic individual hackers or loosely organized criminal groups. It is a state apparatus with dedicated personnel, long-term targeting strategies, and the operational patience to identify and exploit vulnerabilities across multiple protocols over months rather than days. The Lazarus Group and affiliated units have been linked to billions in crypto theft over the past several years, and the 2026 data suggests their capabilities and ambitions are still expanding.
The concentration of losses in a small number of large incidents alongside a high frequency of smaller ones suggests two distinct threat profiles operating simultaneously. The major losses at Drift and KelpDAO point to targeted, sophisticated attacks where the hackers almost certainly spent significant time studying the protocol's code and economic logic before executing. These are not smash-and-grab operations. They are the product of adversaries who understand smart contract architecture well enough to find edge cases that auditors missed.
The broader wave of smaller exploits across the month reflects a different but equally serious problem: the attack surface of DeFi is simply enormous, and the resources devoted to securing it remain uneven. New protocols launch constantly, often under competitive pressure to move fast. Smart contract audits are expensive and do not guarantee safety, as the record of exploited audited protocols demonstrates clearly. Insurance products exist but cover a fraction of total value locked. The industry has grown faster than its security infrastructure, and April's numbers are the invoice for that imbalance.
KelpDAO's losses are particularly instructive because the protocol operates in the liquid restaking space, one of the newer and more complex corners of DeFi. Restaking, which allows staked assets to be used as collateral across multiple protocols simultaneously, creates compounding interdependencies that amplify both yield and risk. When something goes wrong in a restaking protocol, the damage does not stay contained. It propagates through the other protocols that were relying on that collateral. That systemic interconnection is exactly what makes this category attractive to sophisticated attackers looking to maximize impact per exploit.
Why this matters beyond DeFi
The crypto security conversation has historically been treated as a problem for retail investors and DeFi degens to manage themselves. April's record forces a reassessment of that framing. Institutional adoption of blockchain infrastructure, tokenization of real-world assets, and the emergence of private credit platforms built on smart contracts are all predicated on the assumption that the underlying infrastructure is secure enough to trust with serious capital. That assumption is under pressure.
Companies like Fence, which recently raised $20 million to automate asset-backed finance workflows using blockchain, are building on infrastructure that shares an ecosystem with the protocols being drained monthly. The security failures in DeFi do not automatically infect enterprise blockchain deployments, which typically operate on permissioned networks with different threat models. But they do affect the regulatory and reputational environment in which those deployments have to operate. Every nine-figure hack makes the conversation with a compliance team or a board audit committee harder.
For the broader institutional adoption story, the relevant question is not whether blockchain infrastructure can be made secure. It can, with the right architecture, auditing practices, and operational controls. The question is whether the industry will invest in those things at a pace that matches the capital flowing in. Right now, the answer that April's data provides is not reassuring. North Korean state hackers operating at scale, 30 exploits in a single month, and $625 million gone suggest that the security investment curve needs to steepen considerably before institutional adoption can proceed with the confidence the space is currently projecting.
The protocols that survive and grow through this environment will be the ones that treat security as core infrastructure rather than a compliance checkbox. That distinction is going to matter more with each passing month, and the institutions evaluating blockchain deployments will increasingly be asking to see the evidence before they sign.
Also read: Goodfire's New Tool Lets Engineers See Inside a Language Model While It Is Still Being Trained and That Changes Everything About AI Safety • NFTs Are Not Dead But the Market You Remember Is Gone • Pokémon Cards Are Beating Crypto and Stocks and Investors Are Paying Attention
