DeFi Emerges as a Primary Target for Hacking Attacks In April 2026, the cryptocurrency world experienced one of its darkest periods. In just one month, a staggering 28 to 30 hacking incidents occurred, resulting in an enormous loss of $625 million (approximately 860 billion Korean Won). This figure is 3.7 times the total loss of $165 million recorded in the first quarter of the same year, marking it as the month with the highest number of hacking incidents in cryptocurrency history. This shocking figure, compiled by blockchain data analytics platform DefiLlama, starkly exposed the security vulnerabilities within the decentralized finance (DeFi) sector. What implications does this situation hold? The most notable incidents were the hacks of Solana-based Drift Protocol and Ethereum-based KelpDAO. Drift Protocol suffered a loss of $285 million in a hack on April 1st, while KelpDAO was attacked on April 18th using Layerzero bridge message spoofing technology, incurring damages of $293 million. These two major incidents alone accounted for a staggering 93% of the total losses, marking them as some of the worst hacking events in cryptocurrency history. The impact was further amplified by the revelation that the attack on Drift Protocol was linked to the Lazarus Group, a notorious North Korean hacking collective. The Drift Protocol hack was not merely an attack on technical vulnerabilities. The Lazarus Group employed social engineering tactics, targeting protocol administrators and developers. Analysis suggests they impersonated trusted individuals or used sophisticated phishing emails and messages to gain access to internal systems. In contrast, the KelpDAO hack was a technical attack that exploited structural vulnerabilities in a cross-chain bridge. Attackers exploited the message delivery mechanism of the Layerzero bridge to execute message spoofing, thereby disguising fraudulent transactions as legitimate ones to siphon off large sums of money. This case highlights the critical importance of security verification for cross-chain technology. However, large-scale hacking incidents are not the only concern. Simultaneously, numerous small to medium-sized hacking incidents, each under $5 million, occurred, including $18.4 million stolen from Rhea Finance, $15 million from Grinex, and $3.5 million from Volo Vault. According to DefiLlama data, there were dozens of such smaller attacks, each targeting the DeFi ecosystem in different ways. These attacks targeted various vulnerable points within the DeFi ecosystem, such as lending pools, vaults, staking contracts, oracle configurations, and cross-chain bridges. This clearly indicates a very broad attack surface and suggests that DeFi platforms have not yet fully implemented comprehensive security systems commensurate with their asset volumes. Particularly noteworthy is the increasing number of attacks on lending pools and staking contracts. These systems are designed to pool user assets to provide liquidity or generate interest, but logical errors in smart contracts or insufficient verification make them prime targets for hackers. Furthermore, oracle systems, which deliver real-time data from outside the blockchain to smart contracts, can lead to massive losses if data manipulation or delay attacks occur during this process. Analysis suggests that many of the smaller hacks in April precisely targeted these structural vulnerabilities. Experts point to the organized and sophisticated operations of North Korean-linked hackers as a major cause of these incidents. According to a report by TRM Labs, approximately 76% of all cryptocurrency hacking losses in 2026 were attributed to North Korean hackers. This goes beyond mere statistics, clearly demonstrating that the perpetrators of cryptocurrency theft are not opportunistic individual hackers but state-level organizations with dedicated personnel and long-term objectives. These are not mere hackers but state-sponsored actors operating to circumvent financial sanctions or acquire foreign currency. Even more concerning is their cunning use of artificial intelligence (AI) technology. The report indicates that hackers have developed methods to bypass KYC (Know Your Customer) procedures using deepfake technology and voice cloning tools, with instances of these tools being sold on the dark web. For example, methods have been observed where the faces and voices of actual project stakeholders are replicated using AI to build trust during video conferences or voice calls, subsequently leading victims to click malicious links or divulge sensitive information. This demonstrates an evolution beyond exploiting simple technical loopholes, moving towards a new dimension of threat that combines advanced technology with psychology. Evolving Cyber Threats: North Korean Hackers and AI Technology The cryptocurrency market is experiencing explosive growth with the influx of massive capital. While decentralization and security are considered core v
Related Articles