Crypto exploit losses surged to roughly $651 million in April, according to CertiK data, making it one of the worst months for Web3 security in years.
CertiK Alert reported during the month that April losses had already exceeded $633 million, marking the highest monthly total since March 2022, excluding February 2025, when the Bybit hack heavily distorted industry-wide figures. The final April figure was later reported at around $651 million, including about $3.5 million attributed to phishing.
So far, April has seen losses of over ~$633M, the highest losses since March 2022 (~$715M), excluding Feb 2025 (Bybit).
Losses are largely concentrated on the KelpDAO and Drift Protocol hacks, with initial losses of~$576M. pic.twitter.com/94lgHMUut7
— CertiK Alert (@CertiKAlert) April 24, 2026
The headline number is alarming, but the pattern behind it matters even more. April was not defined by dozens of small attacks adding up slowly. It was driven by a handful of major incidents that caused outsized damage across the market.
A Few Large Attacks Did Most of the Damage
The biggest lesson from April is concentration risk.
Crypto.news reported that two major April incidents, a $293 million Kelp DAO breach and a roughly $280 million Drift Protocol hack, accounted for most of the month’s losses. Those two incidents alone represented more than half a billion dollars in damage.
That is why April felt different from a normal bad month for crypto security. Frequent phishing scams and smaller protocol bugs are always a problem, but catastrophic infrastructure-level attacks can change the entire monthly loss picture overnight.
KuCoin’s summary of CertiK data also noted that April losses exceeded $633 million and were driven largely by the Kelp DAO and Drift incidents, which together accounted for roughly $576 million.
For DeFi users, that concentration is unsettling. It means a single weakness in a major protocol, bridge, validator setup or privileged access system can create damage far beyond the original target.
Phishing Was Smaller, But Still Dangerous
Phishing accounted for around $3.5 million of April’s total losses.
That is small compared with the headline $651 million figure, but it should not be ignored. Phishing remains one of the most persistent threats in crypto because it targets users directly rather than code. A smart contract can be audited, but a user can still be tricked into signing a malicious transaction.
CertiK has warned that phishing, deepfakes, supply-chain compromises and cross-chain vulnerabilities are expected to remain major crypto security threats in 2026. The firm’s senior blockchain investigator Natalie Newson told Cointelegraph that attackers are becoming more sophisticated as they combine social engineering with infrastructure-level weaknesses.
That combination is especially dangerous. A phishing attack can compromise an individual wallet. A supply-chain attack can compromise tools used by many projects. A cross-chain vulnerability can spread risk across multiple networks.
Cross-Chain Infrastructure Is Still a Weak Point
April’s biggest incidents also highlight a recurring problem in DeFi: cross-chain complexity.
Crypto.news reported that the Kelp DAO exploit was linked to a failure involving LayerZero’s cross-chain messaging infrastructure, while the Drift Protocol attack involved a separate major loss. Whether the issue is bridge security, message verification, key management or privileged access, cross-chain systems remain attractive targets because they sit between ecosystems and often control large pools of value.
The promise of DeFi is composability. Protocols connect to other protocols, assets move between chains and users expect liquidity to travel freely. But every connection adds another surface for attackers.
That is the uncomfortable trade-off. More interoperability can make crypto more useful, but it can also make failures travel faster.
Why April Was the Worst Since 2022, With One Exception
The historical comparison is important.
CertiK Alert said April recorded the highest losses since March 2022, excluding February 2025, when the Bybit hack dominated the data. March 2022 was the month of the Ronin Bridge hack, one of the largest crypto exploits ever, with losses around $625 million at the time.
That puts April’s $651 million estimate in a serious category. This was not just another volatile month for crypto crime. It was close to the scale of some of the industry’s most infamous security failures.
The comparison also shows how crypto security risk has changed. In earlier cycles, bridges and smart contract exploits dominated headlines. Now, attackers are also leaning into supply-chain compromise, AI-assisted social engineering, phishing and operational weaknesses.
AI Is Making Security Harder
One of the emerging themes in CertiK’s 2026 warnings is the role of artificial intelligence.
AI can help defenders scan code, detect anomalies and triage bug reports. But it can also help attackers create more convincing phishing messages, automate reconnaissance and produce deepfake audio or video for social engineering.
CoinMarketCap Academy, citing CertiK’s recent security warnings, reported that phishing attacks, real-time deepfakes, supply-chain breaches and cross-chain vulnerabilities are among the threat vectors expected to drive major hacks this year.
That is especially relevant for teams managing treasury wallets, multisigs and governance systems. A deepfake or fake internal message does not need to fool the entire company. It only needs to fool the right person at the wrong moment.
What DeFi Projects Need to Watch Now
April’s losses show that DeFi security needs to go beyond basic smart contract audits.
Audits are still essential, but they are not enough by themselves. Projects also need stronger key management, limits on privileged roles, better monitoring, emergency response plans, cross-chain risk reviews and stricter internal processes around deployments.
Users should also be more cautious with approvals, wallet signatures and links shared through social media or messaging apps. A large protocol exploit may dominate headlines, but individual users are still regularly drained through phishing and malicious approvals.
The April data should push teams to ask harder questions. What happens if one signer is compromised? What happens if a cross-chain message is spoofed? What happens if a vendor tool is attacked? What happens if a fake internal request reaches the treasury team?
Those questions are not theoretical anymore.
The Bottom Line
April was one of the most expensive months for crypto security since 2022.
CertiK’s reported $651 million in losses shows that the industry is still vulnerable to catastrophic failures, especially when large DeFi systems, cross-chain infrastructure and privileged access controls are involved. The $3.5 million phishing figure was much smaller, but it shows user-targeted attacks remain a steady threat.
The message for the market is clear. Crypto security is not only about code. It is about infrastructure, people, permissions, vendors and response time.
If DeFi wants to keep attracting serious capital, April cannot be treated as just another bad month. It has to become a warning sign that security standards need to rise before the next major exploit hits.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or legal advice. Always conduct your own research before making any investment decisions.
