Capital Flow / FinTech & Future Assets

Crypto and DeFi Security Incidents Surge in April 2026: DefiLlama Counts 29, CertiK Estimates $651 Million in Losses

According to three sources, April 2026 became a high-frequency month for crypto project hacks. DefiLlama counted 29 incidents, while CertiK estimated related losses at about $651 million. All three sources mention large incidents involving Drift and Kelp/KelpDAO, but they differ on details, loss attribution, and project naming; some information cannot be confirmed from the provided sources.

TSO brief

  • According to three sources, April 2026 became a high-frequency month for crypto project hacks. DefiLlama counted 29 incidents, while CertiK estimated related losses at about $651 million. All three sources mention large incidents involving Drift and Kelp/KelpDAO, but they differ on details, loss attribution, and project naming; some information cannot be confirmed from the provided sources.
  • Capital Flow · FinTech & Future Assets
  • May 6, 2026
TSO noteEach article is checked against independent reporting. The original source links are listed with the analysis so readers can inspect the evidence directly.

Source transparency

Original reporting sources

  1. April Was the Worst Ever Month on Record for Crypto Hacks - Gizmodogizmodo.com
  2. Week in review: record hacks and rising activity on Ethereum - ForkLogforklog.com
  3. 76% of All Crypto Stolen in 2026 Is Now in North Korea - Dark Readingwww.darkreading.com

Top-line views from three sources and TSO verification conclusion:

  • Source 1 (Gizmodo) says April was “the worst month ever for crypto project hacks,” with DefiLlama tracking 29 incidents and losses of $651 million.

  • Source 2 (ForkLog) says DefiLlama analysts recorded “more than 20” incidents in April, CertiK estimated total losses at $651 million, and listed major cases including Kelp, Drift Protocol, and Rhea Lend.

  • Source 3 (Dark Reading) says two DeFi incidents close to the $300 million level occurred in early April and around April 18, involving Drift and Kelp.

TSO verification conclusion: the three sources broadly agree on the core judgment that crypto/DeFi security incidents surged sharply in April 2026 and that losses reached the $651 million range; however, they do not fully agree on the total number of incidents, project naming, or how losses were attributed. More detailed attack background, specific attack vectors, responsible parties, and whether all figures use the same statistical basis cannot be confirmed from the provided sources.

Facts confirmed by all sources:

  1. Crypto/DeFi security incidents clearly peaked in April 2026.

  2. DefiLlama is one of the statistical sources mentioned by all three.

  3. CertiK’s total loss estimate was about $651 million.

  4. Drift and Kelp/KelpDAO-related incidents were mentioned by multiple sources and were among the largest attacks.

  5. Source 1 explicitly says this was the “worst monthly loss since March 2022”; this wording appears only in Source 1 and is not cross-confirmed by the other sources.

Main differences or inconsistencies:

  1. Different counts for total incidents:

    • Source 1 says DefiLlama counted 29 incidents.

    • Source 2 says DefiLlama analysts recorded “more than 20” incidents.

    • Source 3 gives no total count.
      This suggests the sources may have used different summary angles or different updated versions of the data, so an exact single number cannot be confirmed from the available materials alone.

  2. Differences in loss attribution and project names:

    • Source 2 lists Kelp at $292 million, Drift Protocol at $280 million, and Rhea Lend at $18.4 million.

    • Source 3 says Drift suffered losses of “nearly $300 million” on April 1, and Kelp suffered “nearly $300 million” on April 18.

    • Source 1 gives only the total loss figure of $651 million and no project breakdown.
      Therefore, the loss amount for each individual project and whether the reports refer to the exact same incident framework cannot be fully confirmed from the provided sources.

  3. Differences in how the projects are referred to:

    • Source 2 uses “Kelp” and “Drift Protocol.”

    • Source 3 refers to “Kelp” as a DeFi platform and does not write it as “KelpDAO.”

    • The user summary mentions “Kelp/KelpDAO,” but the “DAO” suffix does not appear in all three source texts, so it cannot be confirmed from the provided sources.

Background and analysis:
The April 2026 security wave is described in all three sources as a concentrated outbreak of major incidents. The available information shows that DefiLlama and CertiK each highlighted a different dimension of the anomaly: DefiLlama emphasized the record number of hacks, while CertiK emphasized monthly losses reaching $651 million.
From the reporting structure, all three sources focus on a small number of large incidents, suggesting that the monthly total may have been driven mainly by a few major attacks. However, aside from Drift, Kelp, and Rhea Lend, the provided sources do not include enough detail on the remaining incidents to determine whether there was a broader chain-reaction risk.
In addition, Source 1’s reference to the “highest monthly loss since March 2022” appears only in that source. Because the other two sources do not mention it, it can only be retained as a single-source statement and not as a cross-verified conclusion.

Three-source summary of views:

  • Source 1 (Gizmodo): April was one of the worst months for crypto hacks, with DefiLlama counting 29 incidents and losses of $651 million.

  • Source 2 (ForkLog): More than 20 hacks were recorded in April, CertiK estimated losses at $651 million, and the largest cases included Kelp, Drift Protocol, and Rhea Lend.

  • Source 3 (Dark Reading): In early April and around April 18, the Drift and Kelp DeFi incidents each approached $300 million, pushing up the amount stolen in crypto during 2026.

Conclusion:
Taken together, the three sources confirm that crypto/DeFi security incidents surged significantly in April 2026 and that monthly losses reached the $651 million range. What cannot be confirmed are the exact incident count, the fully consistent loss breakdown for each major case, and more specific project labels such as “KelpDAO.” Based on the available sources, these discrepancies should be preserved as “not mentioned in the source” or “cannot be confirmed from the provided sources.”

Capital Flow