Overview
- TRM Labs, which released its April findings Thursday, said DPRK-linked actors took about $577 million this year and pushed their cumulative haul above $6 billion since 2017.
- Two April exploits dominated losses: Drift Protocol lost about $285 million on April 1 and KelpDAO lost roughly $292 million on April 18, together making up most of 2026’s hacked value while accounting for a small fraction of incidents.
- TRM Labs said the Drift theft followed months of in-person social engineering of protocol staff and used Solana durable nonces to queue pre-signed withdrawals, with proceeds moved to Ethereum and left dormant.
- Investigators reported the KelpDAO drain stemmed from compromised internal RPC nodes that fed bad data to a single-verifier bridge, which released about 116,500 rsETH, after which Arbitrum froze roughly $75 million and the rest moved through THORChain to convert ETH to Bitcoin.
- Data firms said April set a record for attack count with more than 20 exploits and over $600 million stolen, and market stress spread as Aave saw $8.54 billion in deposits pulled in two days and industry groups organized about $300 million in pledges to address a near $200 million bad-debt gap.