Major DeFi hack becomes the largest of 2026 yet

By TheStreet Roundtable

25 days ago

MAJOR

XWP

2026

DEFI

APRIL

Send

The cryptocurrency industry is facing a severe security crisis. In just under 20 days, digital asset platforms have lost more than $605 million to cyberattacks.

The latest and most devastating incident occurred on Sunday, April 19, when a hacker drained roughly $293 million from Kelp DAO, marking the largest decentralized finance (DeFi) exploit of 2026.

The breach at Kelp DAO pushes the total number of attacked crypto businesses and protocols to at least 12 since the beginning of the month.

What happened with Kelp DAO?

Kelp DAO operates as a liquid restaking protocol. In simple terms, users deposit established cryptocurrencies like Ether (specifically staked versions like stETH or cbETH) into Kelp.

In return, they receive a "receipt" token called rsETH, which earns rewards and can be used in other financial applications.

To allow rsETH to function across more than 20 different blockchain networks—including Arbitrum, Base, Linea, and Scroll—Kelp uses a "bridge." This bridge holds a massive reserve of rsETH to back the tokens circulating on other networks.

At 17:35 UTC on Sunday, an attacker targeted the communication system connecting these blockchains, known as LayerZero.

By funding a wallet through Tornado Cash—a privacy tool often used by hackers to hide their tracks—about 10 hours prior, the attacker successfully tricked LayerZero’s EndpointV2 contract into believing a legitimate instruction had arrived from another network.

This fake message prompted the Kelp bridge to release 116,500 rsETH directly to the attacker. The stolen amount represents approximately 18% of the entire circulating supply of rsETH, which totals around 630,000 tokens.

The response and contagion risk

Because DeFi applications are heavily interconnected, a vulnerability in one asset can threaten the entire system. People frequently use rsETH as collateral for loans on other platforms.

Following the breach, Kelp DAO’s emergency team activated a protocol-wide pause at 18:21 UTC, freezing deposits, withdrawals, and the rsETH token itself.

"Earlier today we identified suspicious cross-chain activity involving rsETH," Kelp wrote on X at 20:10 UTC.

"We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with LayerZero, Unichain, our auditors and top security experts on RCA."

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.

We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.

We will keep you…
— Kelp (@KelpDAO) April 18, 2026

To prevent further financial damage, Aave—the largest lending platform in DeFi with over $20 billion in locked assets—immediately froze its rsETH markets on both its V3 and V4 platforms. Aave clarified that its own smart contracts were not compromised.

“Freezing the rsETH markets prevents new deposits and borrowing against rsETH collateral while the situation is assessed,” the platform stated. As panic spread during Asian trading hours on Sunday, Aave's native token dropped by 20%.

Aave also addressed the potential for financial shortfalls, stating, "We are reviewing information about rsETH borrows on Aave that occurred after the exploit and will share more details as soon as possible."

Initially, Aave stated that its "Umbrella" safety module assets could offset any bad debt. However, the platform later revised its statement to say, "If the protocol accumulates bad debt from this incident, we'll explore paths to offset the deficit."

This is the second security incident for Kelp in a year; in April 2025, a fee contract bug caused excess token minting, though no user funds were lost at that time.

A brutal month for crypto security

The Kelp DAO breach slightly overtakes the massive $285 million Drift Protocol exploit from April 1, which set a grim tone for the month.

Authorities suspect North Korean-affiliated hackers executed the Drift attack using a sophisticated, long-term social engineering campaign involving pre-signed hidden authorizations.

By fabricating a CarbonVote Token (CVT) to manipulate pricing data, attackers drained assets in roughly 12 minutes. Tether eventually helped secure a $147.5 million recovery package for affected users.

Since the Drift incident, a wave of varied and frequent attacks has swept across the industry:

Exchange and infrastructure attacks:

Grinex: On April 15, this Russia-linked, Kyrgyzstan-based exchange was drained of roughly $13.74M in USDT across 54 wallets. The funds were quickly converted via SunSwap. While Grinex blamed Western intelligence agencies and halted operations, blockchain analysis firm Chainalysis suggested the event could be a "false flag" exit scam.

Hyperbridge: An attacker exploited a verification bug (Merkle Mountain Range) to forge cross-chain messages, minting and dumping 1 billion bridged DOT tokens. Losses totaled approximately $2.5 million across four chains, with funds traced to Binance.

Aethir: On April 10, this decentralized GPU cloud infrastructure halted an attack on its bridge contracts. “ATH Security Notice We detected and contained a malicious attack on ATH bridge contracts connecting Ethereum to other chains," the company wrote on X. Key facts shared included that all compromised contracts were disconnected, the main supply remained intact, and user impact was "limited to less than $90,000 USD.”

DeFi market manipulation:

Rhea Finance (Rhea Lend):

An attacker spent two days preparing 423 wallets and eight fake liquidity pools to manipulate oracle prices on the NEAR network. The exploit drained nearly $18.4 million. Tether managed to freeze $3.29 million.

BSC TMM/USDT

A hacker utilized massive flash loans on the Binance Smart Chain to manipulate pool reserves, walking away with over $1.6M.

Smaller DeFi Exploits:

A smart contract bug cost bridge aggregator Dango $410,000, while lending protocol Silo Finance lost $392,000 on April 3 due to a misconfigured oracle.

Similar Articles on TheStreet Roundtable:

Zerion

North Korean-linked actors used AI-powered social engineering to compromise an employee's device, exposing private keys to company hot wallets. Roughly $100,000 in internal funds were stolen, but user assets remained safe.

CoW Swap

April 14, 2026, popular DEX aggregator CoW Swap reported a $1.2 million loss after a domain hijacking attack. According to the team, attackers pretended to be company staff and tricked the domain provider into giving them control of the website. They then redirected users to a fake site that looked exactly like the real CoW Swap platform.

With sophisticated attackers exploiting everything from complex cross-chain bridges to basic human trust, the cryptocurrency industry faces an urgent mandate to fortify its security infrastructure before rolling contagion permanently fractures investor confidence.