Since April, a series of cryptocurrency security incidents have occurred, involving top-notch AI technology and North Korean hackers. DeFi faces its most dangerous period.
BlockBeats News, April 29th - April 2026 has become the worst month for the crypto industry in terms of losses since Bybit was hacked for $1.4 billion in February 2025. According to DeFiLlama data, as of April 18th, within just 18 days, 12 security incidents resulted in a total loss of over $606 million, equivalent to 3.7 times the total losses in the first quarter.
On April 1st, the Solana ecosystem's perpetual contract protocol, Drift Protocol, suffered a $285 million attack. Starting from the fall of 2025, the attacker penetrated the team through social engineering, built trust with security council members over the course of months, induced them to pre-sign multiple seemingly harmless transactions, and ultimately completed two transactions, with a one-second interval, to transfer permissions and drain liquidity.
On April 18th, the LayerZero cross-chain bridge of KelpDAO, an Ethereum liquidity rehypothecation protocol, was breached, and 116,500 rsETH tokens (approximately $292 million) were stolen. The attacker, belonging to the North Korean Lazarus Group's TraderTraitor subunit, then deposited the stolen funds into lending platforms such as Aave, borrowing around $190 million in real assets. This led to Aave facing over $123 million in defaults, causing the DeFi ecosystem's total value locked (TVL) to evaporate by over $13 billion within 48 hours.
Furthermore, in late April, several small protocols experienced security incidents one after another. Although the amount of funds lost was not large, the industry's confidence in DeFi security has been significantly shaken.
On one hand, North Korean hackers have shifted from "technical challenges" to "human penetration." The attack chain began with a fake Zoom meeting link, and AI's practical application in social engineering has now been implemented.
On the other hand, top AI models represented by the Anthropic's new Mythos model have become a new variable in shifting the balance of power between offense and defense. This model's general code reasoning capability has greatly improved, enabling it to autonomously discover thousands of zero-day vulnerabilities, including a 27-year-old crash bug in OpenBSD, and to link multiple low-level vulnerabilities into a complete attack chain.
A more immediate threat is that a large part of the code in the current DeFi ecosystem was deployed before the emergence of modern code reasoning models. Attackers can now leverage AI tools to systematically and inexpensively scan historical legacy configuration defects, while the defense side's AI auditing tools have not yet been fully integrated. This "attackers first with AI, defenders playing catch-up" time gap constitutes the most dangerous window of opportunity at present.
