A hack of a crypto project worth hundreds of millions triggered a capital outflow of billions of dollars from the decentralized finance sector. This has affected the operations of dozens of crypto projects
In less than 24 hours, $6.2 billion in assets nearly 30% of all user deposits: were withdrawn from Aave, the largest lending protocol in the crypto market. The reason for the “exodus” of customers was a hack of the Kelp DAO cross-chain bridge, in which attackers stole $291 million. The incident has been linked to the North Korean group Lazarus Group, which was accused in early April of hacking the Drift crypto protocol for $280 million. We are not even halfway through 2026, but experts have already assessed it as “likely the worst year in terms of hacks.”
The recent incident, if not the largest in terms of damage in the history of the crypto market, is one of the most extensive in terms of the number of protocols involved in the chain of consequences from the hack. Since the start of 2026, losses from DeFi hacks have totaled at least $795 million. At least 30 decentralized finance (DeFi) applications have suspended or restricted protocol operations until the circumstances are clarified and security measures are implemented. This list includes projects such as Aave, Swell, LayerZero, Spark, Curve, Ethena, Morpho, and others.
It is likely that the consequences of the hack could be more serious than the amount of funds stolen. So much so that Tron founder Justin Sun attempted to negotiate with the hackers via X: “How much do you want? Just don’t sacrifice both Aave and Kelp DAO because of this hack.” But as far as is known at the time of publication, his offer has gone unanswered.
And some researchers link the sharp increase in the number of successful attacks to the emergence of powerful neural networks, in particular Mythos. Artificial intelligence allows hackers to automatically find vulnerabilities in smart contracts and scale attacks at an unprecedented speed.
The Kelp Hack
On Saturday, April 18, attackers targeted the Kelp DAO cross-chain bridge, built on the LayerZero infrastructure. By exploiting a vulnerability, they managed to generate 116,500 rsETH, worth $291 million at the time. This is a liquid derivative token that can technically be used in trading operations, just like regular crypto assets. However, unlike most attacks, the hackers did not immediately withdraw the funds into stablecoins but used the stolen tokens for lending operations.
The stolen rsETH was deposited into Aave as collateral. The attackers then borrowed real assets (primarily Ethereum and its wrapped version, WETH), creating what is known as “bad debt.” This immediately impacted the protocol’s liquidity.
As a result, the key Ethereum and WETH pools effectively ran out of all withdrawable funds, and ordinary users who had previously provided liquidity lost the ability to withdraw their deposits.
This situation resembles a classic “bank run,” which is a panic-driven, mass withdrawal of funds by depositors from a bank. This typically occurs due to doubts about the bank’s financial stability, and the more people try to withdraw cash, the higher the likelihood of the bank defaulting.
The head of strategy for the DeFi project Spark, under the pseudonym monetsupply.eth, noted that users began borrowing funds using their stablecoin deposits as collateral in an attempt to save their capital, which only exacerbated the problem.
The market reacted decisively. Although the total market capitalization of the crypto market fell by about 4%, to $2.5 trillion from its peak on the day of the hack by the morning of April 20, about 14% of all user deposits were withdrawn from the DeFi sector during that same period. The total amount of funds locked in the sector stood at about $86 billion by the morning of April 20.
The founder of Defillama, known on X as 0xngmi, noted that the hack led to withdrawals from all lending protocols, even on Solana (the hack is linked to the Ethereum ecosystem). As of April 19, the expert cited figures showing that $6.2 billion was withdrawn from Aave, $716 million from Morpho, $272 million from Sky, and $76 million from JupLend.
Who is behind the hacks?
As it later turned out, the Kelp hack was made possible not so much by flaws in the LayerZero architecture—on which Kelp is based—but rather by Kelp’s own security settings. In its official analysis, LayerZero explicitly pointed to the failure to follow security recommendations in the network node configurations.
The attackers compromised two such nodes by replacing their software and launched a DDoS attack on the remaining nodes, which automatically redirected data to servers controlled by the hackers. LayerZero experts linked the attack to the North Korean Lazarus Group, which was accused in early April of hacking the Drift protocol, resulting in the theft of $285 million. Thus, in just 18 days, the same group siphoned over $575 million from DeFi.
Ledger’s CTO Charles Guillemet emphasized that “it is absolutely certain that these are not some novice hackers,” noting that “2026 is likely the worst year in terms of hacks.”
But without downplaying the seriousness of the incident, experts are not quite so pessimistic. Mikhail Egorov, founder of the major DeFi protocol Curve, views the incident as a painful but useful lesson: “Cryptocurrency is a harsh environment that no bank would survive. I think DeFi will learn from this incident and emerge stronger than before.”
The series of DeFi hacks in April was compounded by hacks of centralized platforms. A few days before the Kelp incident, the Russian crypto exchange Grinex and its affiliated crypto service TokenSpot were hacked. The damage is estimated at $15 million.