Hackers Steal $642M in April, Set 2026 Record

April 2026 turned into a record-breaking month in the worst way — more hacks, bigger DeFi losses, and rare protocol-level intervention to freeze stolen assets. Global Ledger has analyzed 25 major hacks, as well as smaller incidents, to assess the scale of losses and their impact.

DeFi Hits Record Losses in Hacks

In April, hackers stole $641.67 million, setting a record for 2026. This is one of the highest monthly totals since the Bybit hack.

DeFi accounted for the majority of losses. However, the overall total is skewed by two large incidents: KelpDAO ($293 million) and Drift protocol ($285 million) hacks. Together, they represent about 88% of total April losses. 

Here’s a more in-depth analysis of top three exploits that made the headlines. 

Three Hacks Make Up Over 93 % of Total Losses in April

Just three major hacks — KelpDAO, Drift protocol, and Grinex — accounted for 598.1 million in losses, which is more than 93% of total losses.

KelpDAO hack: The largest 2026 incident, freeze, and court case

KelpDAO hack is the largest and most notable hack of this year — not only because of the amount stolen but also because it triggered one of the few large-scale freezes.

Attackers stole around 116,500 rsETH (about $293 million) by exploiting LayerZero, a cross-chain messaging layer. This triggered the release of about 18% of the total rsETH supply. The stolen funds were then used as collateral across platforms, allowing the attackers to borrow ~$236 million.

KelpDAO hack. Screenshot from the Global Ledger KYT solution

The attack was fast: the first transaction happened 1 minute 48 seconds after it started, and full consolidation into the attacker’s wallet took just under 2 hours. 

KelpDAO hack timeline

We have traced the funds that were sent to Bitcoin network via THORChain. 16.13150026 ETH ($37.5K) was swapped into 0.48699566 BTC ($37.3K) and sent to a wallet used in the Bybit hack laundering. 

KelpDAO hack connected to Bybit incident. Screenshot from the Global Ledger KYT solution

After the hack, Arbitrum’s Security Council moved about 30,766 ETH (over $71 million) linked to the exploit into a governance-controlled wallet. In about 4 hours after the freeze, the hacker started moving stolen funds on Ethereum.

Later, Arbitrum voted to unfreeze ETH, but the court blocked the DAO from moving 30,766 ETH after the funds were linked to North Korea. 

Drift protocol hack: 9 days to prepare, 10 seconds to drain $285M 

Drift protocol lost almost 50% of its TVL ($285 million) in nearly 11 minutes. The attack itself was prepared in 9 days. During this time, the hacker created durable nonce accounts to make pre-signed transactions at specific time, got 2/5  multisig approvals to control protocol permissions, and made a test withdrawal of 10,000 USDC from the Drift vault. It took them about a minute to get control over protocol permissions and about 10 seconds to drain more than 15 different asset types. 

Drift protocol hack. Screenshot from the Global Ledger KYT solution

Other notable DeFi exploits include Rhea Lend ($18.4 million), Volo Vault ($3.5 million), and Hyperbridge ($2.5 million), along with many smaller incidents across lending, staking, and infrastructure protocols.

Grinex: Suspended operations after an over $19 million hack

Outside of DeFi, one of the most significant  incidents was the exploit of Grinex. The sanctioned exchange halted operations after a $19.38 million breach (vs. $15 million initially reported). It attributed the attack to “Western intelligence services”, although the observed behavior, including attempts to cash out A7A5, does not support this claim.

The attack targeted operational and deposit wallets on TRON, compromising user deposit infrastructure. Assets including A7A5, USDT, and TRX were drained simultaneously. The attacker swapped USDT to TRX and consolidated in self-hosted wallets:

• TXK2U…euepy  — 352,791,567.14 A7A5 (~$4.42 million)
• TH9kgj…neKVa — 46,093,251.00 TRX (~$14.96 million) 

Explore the case below in our KYT solution.

If you'd like to take a closer look at this case, go to our Global Ledger Vision tool.

The attacker attempted to off-ramp A7A5 from TXK2U…euepy through TQfMP…VZhRR, but the transaction was blocked by A7A5. The wallet TXK2U…euepy still holds about 352.8 million A7A5, while TH9kgj…neKVa continues to hold 46,09 million TRX from the stolen funds. 

To Conclude

The financial impact of individual DeFi attacks has grown massively. Well-prepared hacks targeting high-liquidity protocols generated losses that triggered systemic market reactions, like $13 billion in DeFi TVL losses.

Massive hacks have forced unprecedented interventions that challenge the core idea of decentralized governance. Protocol-level freezes, such as Arbitrum’s, can stop stolen funds movement, but they are uncommon, hard to maintain, and rather slow because of legal limits and governance challenges.

Meanwhile, execution speed and attacker preparation are ahead of the ecosystem’s response capacity. Hackers took their time for preparation and used advanced methods to drain assets in seconds like in the Drift protocol case.

While laundering is getting faster, crypto compliance is still slow and expensive. Without speed and automation, keeping up with the laundering race only gets harder.