April 2026 Crypto Hacks Hit $606M as Lazarus Drains Drift and Kelp

The April 2026 crypto hacks tally now sits at $606.2 million across 18 days, and the math is ugly. That is 3.7 times the combined Q1 haul of $165.5 million across January, February, and March. Two mega-heists do almost all of the damage. Drift Protocol on Solana and Kelp DAO’s rsETH bridge account for $577 million of the monthly bleed, and forensic analysts have pinned both on the same crew: North Korea’s Lazarus Group.

How Lazarus Drained $285 Million From Drift Protocol in 12 Minutes

The Drift attack on April 1 was not a smart contract bug. It was a confidence trick, executed with the patience of a state actor. Attackers spent roughly three weeks cosplaying as a quantitative trading firm, building rapport with Drift’s Security Council and slowly walking them into pre-signing durable nonce transactions. When the signatures were in hand, the exploit itself took about 12 minutes.

Here is the mechanic, according to TRM’s Drift exploit breakdown. The attackers deployed a wash-traded fake token called CVT, pumped its on-chain price through thin liquidity, then fired the pre-signed transactions to drain Drift’s main vaults against the inflated collateral value. The Security Council signers did not realize what they had authorized until the vaults were already empty.

Call it what it is. Social engineering beat cryptography, again. The Security Council was not hacked in any meaningful technical sense. They were talked into handing over the keys while thinking they were reviewing a routine trading integration.

The pattern matches Lazarus’s ‘Slow Stalk’ playbook: weeks of reconnaissance, social engineering of privileged multisig signers, exploitation during off-peak hours, and rapid laundering through mixers.

What Went Wrong at Kelp DAO on April 18?

The Kelp DAO hit was a different animal. Where Drift fell to a social exploit, Kelp fell to a cross-chain message forgery, and the damage came in at $292 million. The attacker targeted LayerZero’s EndpointV2 lzReceive function on the rsETH restaked ETH adapter, forging cross-chain messages that should have been rejected by the validator set.

Once the forged mints cleared on the destination chain, the attacker swapped the illegitimate rsETH for real liquid tokens and bridged the proceeds out through mixing services before anyone on the Kelp team could act. The full post-mortem is documented in LayerZero’s Kelp incident statement. Kelp froze affected vaults within two hours. That response time sounds fast until you remember the drain had already finished.

The uncomfortable question for every LST and LRT protocol right now is whether the lzReceive validation assumption holds for the rest of the ecosystem. If one restaked adapter could be bamboozled, others can be too.

• April 18: Attacker forges cross-chain message into LayerZero EndpointV2
• Forged lzReceive call mints illegitimate rsETH on destination chain
• Attacker swaps fake rsETH for legitimate tokens and bridges out
• Kelp team freezes vaults 2 hours later, after the drain completes

The $10 Billion TVL Wipe Nobody Is Talking About

The headline loss is $606 million. The real loss is bigger, and it happened in plain sight on April 19. Inside a single 24-hour window, DeFi protocols saw roughly $10 billion in total value locked walk out the door, as risk-averse depositors pulled capital from every vault, bridge, and liquid staking product that shared any infrastructure with Drift or Kelp.

That $10 billion outflow is the largest single-day DeFi drawdown since Terra collapsed in May 2022. The symbolism matters. Terra was a protocol design failure. This is a trust failure, and trust failures price in faster. Users are not waiting for the next Security Council to get phished before yanking their funds.

Contagion in DeFi used to take weeks. This round took hours.

Why Lazarus Group Sanctions Have Not Slowed the Bleeding

Lazarus Group has been laundering stolen crypto into North Korea’s nuclear weapons program for the better part of a decade, a pattern confirmed in multiple Treasury’s Lazarus sanctions designations from the US Office of Foreign Assets Control. Sanctions have not stopped the group. They have not even slowed the cadence. If anything, the April 2026 hacks suggest the operation has gotten better at picking targets.

The playbook TRM calls ‘Slow Stalk’ reads like a corporate penetration test turned criminal enterprise. Scout a protocol for weeks. Identify the privileged signers. Build a plausible cover story, often a trading firm or an institutional partner. Walk the signers into authorizing something they do not fully understand. Execute during off-peak hours. Launder through mixers before the forensic teams wake up.

Every one of those steps happens outside the smart contract layer. That is why on-chain audits, however thorough, cannot catch this class of exploit alone.

What the 2026 Year-to-Date Numbers Really Say

The YTD crypto hack total now sits at $771.8 million across 47 separate incidents in four and a half months. At that pace, 2026 clears 2024’s full-year hack total before the end of Q3. That is not a statistical blip. That is a trendline.

Every DeFi protocol still running 2024-era multisig security is now a target. The Bybit heist last year should have been the wake-up call. It was not. Drift and Kelp are the aftershocks of an industry that collectively decided the lesson could wait another cycle.

The April 2026 crypto hacks number is a warning shot, and the next big name on the list is probably already being stalked.

Every DeFi protocol still running 2024-era multisig security is now an active target.

This article is for informational purposes only and does not constitute investment advice. Every investment and trading decision involves risk. Readers should conduct their own research before making any financial decisions.