Twelve attacks in 18 days. Over $606 million drained from crypto protocols. And April 2026 is not over yet.
Between April 1 and April 18, hackers hit restaking services, cross-chain bridges, network-layer infrastructure, and at least one centralized platform, racking up losses at a pace of roughly $33.7 million per day. That makes this month the most destructive for digital asset theft since the Bybit breach in February 2025, when approximately $1.4 billion was stolen in a single exploit. According to figures compiled by Yahoo Finance, the April total already exceeds the combined losses from the entire first quarter of 2026 by nearly four times, though the underlying quarterly dataset has not been published for independent review.
With almost two weeks left in the month, the damage is still growing.
The attacks: KelpDAO, Ice Open Network, and ten more
CryptoTimes reports that the 12 confirmed incidents spanned a wide range of targets. No single protocol type was spared.
The largest single blow came from the KelpDAO exploit, an attack on the restaking protocol severe enough on its own to push the monthly aggregate from alarming to record-setting. Early aggregator estimates place the KelpDAO loss in the hundreds of millions of dollars, but that range has not been corroborated by on-chain audits from forensic firms such as PeckShield or CertiK. Neither KelpDAO nor independent investigators have published a post-mortem. What preliminary reports do suggest is that the exploit targeted weaknesses in contract logic and oracle design, a recurring vulnerability pattern in protocols that layer complex yield strategies on top of one another.
A separate attack struck the Ice Open Network through a completely different vector. Rather than targeting smart contract code, an insider reportedly leaked user emails and two-factor authentication credentials, according to Cryptopolitan. The Ice team has not released a public incident report confirming the full scope of the compromise, and no second outlet has independently verified the details. That leaves affected users uncertain whether the leaked 2FA data could enable future account takeovers or whether the breach resulted in direct financial losses.
Beyond those two incidents, the remaining ten attacks have received only limited public coverage. Early reports reference exploits against a cross-chain bridge aggregator, a lending market on an Ethereum Layer 2, and several smaller DeFi vaults, but none of these projects have issued official post-mortems confirming individual loss figures. Some may involve active investigations that limit public disclosure.
How the market reacted
DeFi protocols absorbed the worst of the financial damage. Total value locked across affected platforms slid as confidence eroded, and liquidity providers began pulling capital from higher-risk pools. According to Bitget Research, market participants responded in ways that have become grimly familiar after large-scale hacks: moving assets to cold storage, migrating to larger and more established platforms, and cutting leverage. Spreads widened. Caution replaced appetite.
The ripple effects extended beyond the exploited protocols themselves. For an industry that spent much of early 2026 rebuilding confidence after the Bybit fallout, the April wave landed at the worst possible moment.
What the $606 million figure does and does not tell us
The $606 million total, while cited consistently across CryptoTimes, Yahoo Finance, and Bitget Research, has not been independently verified by a major forensic firm such as Chainalysis, PeckShield, or CertiK. Each outlet appears to draw from similar aggregation dashboards rather than published on-chain transaction audits. That convergence suggests the number is directionally accurate, but it could shift as partial recoveries surface or previously undetected exploits come to light.
Some outlets report “$606 million” while others say “over $606 million.” The gap reflects the fluid nature of on-chain accounting: stolen tokens are typically valued at the moment of the hack, but prices can swing sharply as attackers dump assets. Initial estimates are frequently revised, sometimes downward after white-hat negotiations, sometimes upward when investigators discover additional compromised wallets. Readers should treat the headline number as a close approximation, not a final audited sum.
Several critical questions remain unanswered as of late April 2026. How much of the stolen total is recoverable? How much came from user wallets versus protocol treasuries? Have stablecoin issuers like Tether or Circle frozen any of the stolen assets? Have major exchanges flagged or blocked attacker wallets? No public statements from law enforcement agencies, financial regulators, or stablecoin issuers addressing the April hack wave have surfaced so far.
Why the pace keeps accelerating
A cluster of 12 hacks in 18 days, spanning both DeFi smart contracts and centralized infrastructure, points to something more systemic than a run of bad luck. The pattern is familiar but intensifying: rapid protocol innovation outpaces security review, complex composability layers create attack surfaces that no single audit can fully map, and internal access controls at smaller teams remain alarmingly loose.
The comparison to Q1 2026 sharpens the point. If the sector lost more in 18 days than in the preceding 90, attackers are scaling their operations faster than defenders can respond. Bug bounty programs, third-party audits, and formal verification tools exist, but adoption remains uneven. Projects racing to launch new features or capture yield often treat security as a cost to minimize rather than infrastructure to maintain. The Ice breach, where a single insider could expose user emails and 2FA credentials, illustrates how even basic internal controls can be absent at projects managing significant user funds. Meanwhile, the KelpDAO exploit shows that layered composability in restaking protocols can create blind spots that standard audits fail to catch.
What April 2026 demands from protocols before May
The final tally for April 2026 will only become clear after forensic firms finish their work and affected projects release detailed reports. But even at this stage, the numbers have already forced a question the industry has repeatedly deferred: whether the pace of innovation can coexist with the level of security that real money demands.
Twelve exploits in 18 days. No published forensic breakdown from a major analytics firm. No confirmed law enforcement response. Only two incidents described in any detail by the press. That combination of scale and opacity should change how protocols budget for security, how users evaluate where they deposit funds, and how quickly the industry expects accountability after a breach. April 2026 is not just a record. It is a stress test, and the results so far are failing.
