DeFi hacks have caused over $840 million in losses so far in 2026.

This has been one of the worst years on record for decentralized finance hacks, and we're only halfway through.

In the first five months of 2026, DeFi hacks resulted in over $840 million in losses—more than $600 million was stolen in April alone, including two of the year’s largest attacks: the KelpDAO exploit, which caused $292 million in losses and a $285 million exploit of the Drift Protocol.

Losses continued through May. Thunder Chain security researchers discovered a suspected cross-chain vulnerability affecting over $10 million, leading to a trading halt.

Trusted Volume, Echo Protocol, Step Finance, Truebit, Resolv Labs, Wolo Protocol, Rhea Finance, Verus-Ethereum Bridge, and many other projects have also joined this debacle, turning this list into a stress test of every trust assumption underlying DeFi. DeFiLlama Data.

Experts decrypted: Attendees generally agreed with this diagnosis: recent DeFi hacking incidents have exposed structural flaws in the DeFi space, particularly in bridges and management systems, while advancements in artificial intelligence may be helping attackers identify vulnerabilities more quickly.

Natalie Newson, a senior blockchain investigator at the Web3 security platform CertiK, told Decrypt that although April’s cryptocurrency attacks were unusually severe, the overall trend remains relatively stable and below the peak number of incidents in 2023.

"April 2026 was a month of frequent cryptocurrency exploit attacks; only three days passed without an exploit, and at least $10,000 was stolen each day," she said.

“However, from a broader perspective, the number of incidents (excluding phishing) can be said to have remained relatively stable and is still below the 2023 peak,” Nussin noted, adding that the severity in April was driven by 14 attacks resulting in losses exceeding $1 million, second only to the 16 such incidents in September 2025.

Ari Redbord, Head of Global Policy and Government Affairs at TRM Labs, told Decrypt that this [surge] can be traced back to a state actor that evolved over five years from a marginal player into a decisive threat.

Redbord said, "North Korea is the primary driver, and this campaign is becoming increasingly targeted rather than broader." He also noted that actors linked to North Korea are involved. Recorded that 76% of global cryptocurrency hacking losses in the first four months of 2026 will occur here, up from 64% in 2025 and less than 10% in 2020.

He said: "North Korea not only uses technological attacks against space, but also employs complex and carefully planned social engineering methods."

The largest DeFi hack of the year so far occurred on April 18, when attackers stole approximately 116,500 rsETH from a cross-chain bridge, valued at around $292 million.

LayerZero is the underlying messaging infrastructure provider for this bridging protocol, and in its latest statement, the company said... Autopsy report The attack began on March 6, when a developer fell victim to a social engineering attack and their session key was stolen.

We will share the incident investigation report we have completed regarding the events of April 18, prepared by @Mandiant and @CrowdStrike. We will post the executive summary and full report at the link below.

Over the past four weeks, we’ve partnered with hundreds of organizations to help them... pic.twitter.com/yVZdqjLTeT

— LayerZero (@LayerZero_Core)May 20, 2026

The cross-chain messaging protocol stated that Mandiant, CrowdStrike, and independent researchers attribute this attack to the North Korean threat actor TraderTraitor, also known as UNC4899.

Redbord added that the structural reasons behind DeFi's ongoing challenges ultimately stem from where funds are held and how they flow.

He noted: "The cross-chain complexity of DeFi makes it an environment full of attack targets—bridges consistently cause the largest single-event losses, and failure modes recur with startling consistency because the core issue is architectural."

Raz Niv, co-founder and CTO of Blockaid, told Decrypt that in this year’s largest incidents, three technical patterns repeatedly emerged: privileged access control failures, malicious proxy upgrades (where attackers replace the implementation contract with a backdoored version), and cross-chain message validation vulnerabilities.

Regarding privileged access, Niv stated that the company monitors "anomalous 'role assignment' events and unauthorized privilege escalations," such as the event traced to the Echo Protocol exploit, which resulted from leaked admin keys or misconfigurations.

“The attacker either obtained the private key through social engineering or exploited poorly designed multi-signature thresholds,” he added.

He pointed out failures in areas such as privileged access control, malicious proxy escalation, and cross-chain verification systems, stating that recent attacks have exposed deeper weaknesses in the assumptions underlying increasingly complex infrastructure.

Niv said: “The commonality is not in complexity itself, but in the fact that each layer of abstraction—agents, admin roles, cross-chain messaging—introduces trust assumptions that attackers systematically probe.”

Niv said that AI is increasingly changing the way vulnerabilities are discovered, but he also warned that AI's impact is often misunderstood.

He stated that current models are becoming increasingly effective at identifying known vulnerabilities at scale and are “automating the work of skilled auditors,” while warning that “the real concern is not AI replacing human attackers,” but rather AI “enhancing attackers’ capabilities” by handling reconnaissance tasks, allowing them to focus on more sophisticated techniques.

“The good news is that defenders can use the same tools. AI-assisted monitoring and simulation are becoming critical for security teams striving to keep pace,” Niv added.

Newsom noted that the surge in DeFi hacking attacks has shown a similar trend, saying, "Advancements in artificial intelligence may be one factor contributing to this phenomenon, though it is not the only one."

She added that CertiK has observed an increase in the exploitation of outdated and unverified contracts, leading to the logical conclusion that artificial intelligence is assisting in identifying vulnerabilities.

Similarly, Redbord stated, “Bad actors are deploying artificial intelligence at scale” for reconnaissance, social engineering, and vulnerability exploitation design, adding that the complexity demonstrated in attacks like Drift appears “consistent with AI-assisted workflows.”

TRM analysts believe that North Korean operatives are increasingly integrating AI tools into their operations, stating, "The solution is to deploy AI defensively with the same aggression as the adversary deploys it offensively."

Redbord said that DeFi hacking attacks are "a solvable problem," but he also noted that the industry needs to be more transparent about where the actual failures are occurring.

He noted that "audits can prevent code vulnerabilities," but cannot guard against sophisticated social engineering attacks like the one on Drift, for which North Korean agents are reported to have been involved, having spent months gaining access prior to the breach.

The expert added, "An effective model is real-time public-private collaboration."

Newsom said 2026 could represent “an evolutionary turning point,” noting that the industry is recognizing cybersecurity as a “full-stack issue,” encompassing “artificial intelligence, North Korea, or infrastructure and people.”

“If your off-chain manual processes have vulnerabilities, even the most perfect on-chain mathematics won’t help,” she said, noting that the industry is increasingly shifting toward “practical structural solutions” to address infrastructure and social engineering risks.

The extent of confidence loss in the DeFi space is difficult to quantify, but easy to observe.

The Kelp DAO vulnerability triggered a $6.2 billion outflow of funds. Before the rescue operation led by Aave CEO Stani Kulechov, he acted alone, spearheading an initiative called "DeFi United" that raised approximately 303 million USD in 132,650 ETH to secure the bad debt.

This coordinated response demonstrates the industry’s ability to mobilize. It also reveals how much funding is required to conceal a bridge theft.

Newsom said the consequences depend entirely on who is affected.

“Experienced insiders may view the past six weeks as commonplace—just the new normal of the next phase of development, and a painful experience from which to learn lessons,” she said.

She noted that repeated attacks affect new market participants very differently, warning that for users who suffer significant losses, the consequences are not a "learning experience," but rather raise "existential questions" about the long-term "viability and security" of cryptocurrency, and technical fixes often come too late to recover the losses.