April 2026 is one of the darkest months in the history of cryptocurrency decentralized finance (DeFi), with total losses exceeding $630 million. Core statistical data shows total losses of approximately $634 million, a explosive increase from $59.5 million in March.

Number of incidents: 31 independent attack events occurred in a single month, setting a new record for the number of security vulnerabilities.
Capital flight: Due to a collapse in security confidence, approximately $13 billion in DeFi funds have fled en masse.
Two major attack incidents account for 92% of the losses this month, both attributed to North Korean hacker group Lazarus Group:
Kelp DAO (4/18): Loss: $292 million (about 116.5k rsETH).
Method: Exploited a cross-chain message verification vulnerability in LayerZero.
Impact: Triggered bad debt risks in protocols like Aave and a withdrawal wave worth billions of dollars.
Drift Protocol (4/1): Loss: $285 million.
Method: Hackers lurked for about six months conducting "structured intelligence operations," using privileged access to carry out attacks.
Other notable incidents:
Rhea Finance (4/16): A NEAR ecosystem lending protocol lost $18.4 million.
Grinex (4/16): A Russia-related trading platform lost about $15 million.
Hyperbridge (4/13): Cross-chain verification vulnerability caused a loss of $2.5 million.
These events reflect a shift in hacker attacks from simple code vulnerabilities to more complex social engineering and long-term infiltration. Investors should pay closer attention to protocol centralization risks and multi-signature mechanisms.