In the first 20 days of April, decentralized finance lost more than $600 million to hackers, with two of the year's biggest exploits hitting in three weeks.
That puts 2026 on pace for one of the worst stretches in DeFi's history, just as more retail investors are starting to use the protocols for yield.
Kelp DAO, a liquid restaking protocol, lost roughly $293 million on April 19 in the largest DeFi exploit of the year so far. Liquid restaking lets users earn yield on cryptocurrencies like Ether by locking them up to help secure other networks.
The attacker exploited the LayerZero cross-chain messaging system Kelp relied on, then pushed the laundered funds through Tornado Cash. The protocol froze deposits and withdrawals within an hour, and Aave - the largest DeFi lender, with more than $20 billion locked up - quickly froze its rsETH markets to stop the contagion.
Aave's own native token still fell 20% during Asian trading hours that day. Three weeks earlier, on April 1, Drift Protocol on Solana lost $285 million in a separate attack, with authorities pointing to North Korea-linked hackers running a months-long social engineering operation.
Stablecoin issuer Tether helped recover $147.5 million for affected Drift users, but most of the money is still gone.
Most DeFi exploits in 2026 fall into a few buckets, with compromised private keys still leading the way - a recent industry report tied nearly a quarter of incidents to brute force attacks on keys.
The newer threat is social engineering, where North Korea-linked groups used AI-driven phishing to compromise Zerion, the crypto wallet app, walking away with $100,000 from internal hot wallets. CoW Swap, a popular DEX aggregator, lost $1.2 million after attackers tricked its domain provider into handing over control of the company's website.
The smaller hits add up too:
DeFi pitches itself as the alternative to traditional finance, but the security model is still being tested in real time with real money.
The Kelp incident put pressure on Aave, the largest DeFi lender, while the Drift incident pulled a foreign government into the conversation. Both events tell investors the same thing: in DeFi, every counterparty is also a potential attack surface.
For investors holding DeFi tokens or using DeFi protocols, position sizing matters more than ever. The yields can be real, but so are the tail risks.
Curve founder Michael Egorov has called for an industry-wide DeFi security standard, and whether the protocols agree on one before the next nine-figure hack is the open question for the rest of 2026.
Non taxable income is money you earn that the IRS does not tax - like Roth IRA cash, muni bond interest, and certain investment gains. The U.S. tax code taxes workers, investors, and business owners at very different rates. Tools like Roth accounts, muni bonds, and real estate write-offs can help you keep more of what you earn.
You've probably heard the term "meme stock" thrown around on […]
