DeFi hacks are exploding: Is there a future for DeFi?

The decentralised finance (DeFi) sector experienced rapid expansion during 2020’s so-called “DeFi summer,” growing from a niche market to a sector valued at around $180 billion. DeFi however is facing growing pressure with major incidents and exploits  becoming larger in terms of losses despite security updates. The year 2026 has become a tough year for the DeFi industry, hurt by many hacks. So far total losses have already crossed $840 million, with bridges accounting for a large share of the damage. These events have  triggered a sharp pullback in investor capital and raised fresh questions over the resilience of blockchain-based DeFi systems

In this blog we will, describe in short de various hacks in 2026, the main targets of the hackers, the way hackers work, the various DeFi vulnerabilities including cross-chain bridge infrastructure and structural weaknesses, and how traditional  financial players are reacting.

DeFi: from popularity to structural vulnerability

DeFi has become popular among crypto investors seeking yield. DeFi grew rapidly by removing intermediaries and offering novel financial products, reaching roughly $130 billion to $140 billion in total value locked. Recent DeFi hacks however suggest heightened vulnerability that distinguishes decentralised finance from traditional banking. Unlike in traditional finance, oversight remains fragmented. While banks can block suspicious transfers, transactions over blockchains can’t be reversed, and hackers have myriad ways of moving stolen funds out of reach. There is no central authority to freeze suspicious transfers before they settle.

DeFi sector and hacks

The DeFi industry has been victim of a growing number of exploits thereby losing billions over the past several  years. Since DeFi entered the crypto area six years ago we have seen cumulative exploit-related losses at over $16.5 billion all-time, with DeFi-specific losses near $7.7 billion and bridge exploits alone accounting for $2.9 billion, according to DeFiLlama. The 10 biggest crypto exchange hacks have collectively stolen over $4.3 billion, with individual attack sizes growing.

Hacks in 2026

2026 is becoming a year in which DeFi are causing great losses especially in the month April. This encompasses cross-chain bridges, decentralised exchanges, derivative protocols, digital wallets underlying infrastructure failures and non-lending DeFi applications. By the end of May cumulative losses from DeFi hacks in 2026 have already succeeded $ 840 million, across more than 50 accidents in just five months (versus 30 over the same window in 2025, a 70% year-over-year increase).

DeFi Hits Record Losses in April Hacks

April 2026 was identified as the single worst month in DeFi’s history, marked by a wave of exploits and hacks and market reactions, primarily driven by DeFi and bridge attacks. Defillama tracked more than 30 separate attacks during the month, almost doubling from the previous month, netting the attackers almost $635 million in total. One of the highest monthly totals since the Bybit hack in February 2025 having a loss of $1.47 billion.

Main hacks in April

April’s DeFi losses were dominated by just two major exploits.  During the month over half a billion dollars in crypto was stolen across KelpDAO ($293 million) and Drift protocol ($285 million), These alone caused 95% of the month’s total damage, triggering a mass exit from DeFi. They now rank among the top 10 hacks since 2021. These two major incidents exposed structural risk across the DeFi ecosystem, highlighting that vulnerabilities may extend far beyond smart contract risks.

• Drift Protocol

On 1 April, attackers drained roughly $285 million from Drift Protocol, a Solana-based derivatives exchange, due to an elaborate, preplanned attack. The attackers had spent months impersonating a quantitative trading company in order to build credibility with core contributors and trick employees into authorising malicious transactions.  Drift’s Its security council’s multisignature approvals were hijacked through a months-long social-engineering campaign. The Drift team described it as a “structured intelligence operation” that had been in the works for around six months. The attackers manufactured a fictitious token, built an inflated trading record to make it appear legitimate, and used it as collateral to drain real assets in roughly 12 minutes.

• KelpDAO

The biggest single attack in April and the largest and most notable hack of this year hit KelpDAO, a Solado-based restaking protocol, that attracted significant liquidity.  The attack involved social engineering and governance manipulation to drain the protocol, causing significant contagion across lending platforms. On April 18, roughly $292 million was drained after attackers compromised remote procedure call nodes and fed false blockchain data to the protocol’s verifier while launching DDoS attacks on legitimate nodes.

The KelpDAO exploit marked a significant breach within the DeFi sector, involving the unauthorized minting of unbacked rsETH, a liquid token representing restaked ETH,  through a cross-chain bridge vulnerability. The breach was made possible because KelpDAO’s bridge relied on a single-decentralised verifier network setup, requiring only one verifier to approve a cross-chain message, a single point of failure. Criminals manipulated a bridge to seize realm assets and then used those assets as collateral of around $200 million on Aave, one of DeFi’s largest decentralised lending protocol, rather than selling the stolen funds immediately.

Main attackers: North Korea Lazarus Group

North Korean state-linked hackers around the Lazarus Group  have become the dominant force in these two main hacks. It is believed they accounted  for approximately 76% of crypto-related hack losses globally this year including the Drift and KelpDAO heists. The group had previously been connected to the $1.4 billion Bybit hack in February 2025. The sophistication of the April hacks makes it highly likely the attackers used artificial intelligence to select targets and design exploits.

Continued hacks in May

This process continued in May with a broader surge in hacks, adding to a growing wave of DeFi exploits in 2026. During that month the sector recorded several significant breaches, targeting multipole protocols. DeFiLlama data show that 14 DeFi protocols were hit this month, of which eight bridge-related incidents, with collective losses reaching $28 million. These figures are particularly significant because it comes after an already heavy April from this point of view for the DeFi ecosystem.

Though most hacks in May triggered losses that were lower compared to those in April here are some interesting ones including Trusted Volumes, THORChain and Verus Protocol Ethereum Bridge.

• TrustedVolumes

A multi-million-dollar attack has hit the DeFi sector on 7 May after liquidity provider and market maker TrustedVolumes fell victim to a smart contract exploit. The exploit, which occurred on the Ethereum network, after exploiting a vulnerability in the protocol’s core signature validation logic, allowed hackers to bypass authorization checks and forge trading order. This caused losses of more than $6.7 million in stablecoins and wrapped assets.

• THORCHAIN

Decentralized liquidity protocol THORChain  suffered a treasury exploit via a multi-chain exploit on May 15. A breach of one vault reportedly drained more than $10,7 million in protocol-owned funds across at least nine chains. That shifted attention from the immediate loss figure to DeFi’s cross-chain trust model.

• Verus Protocol Ethereum Bridge

On May 18, blockchain security firm Blockaid flagged an active attack on the Verus-Protocol Ethereum Bridge. Verus Protocol’s Ethereum bridge was exploited through a fake cross-chain transfer message. The exploit took advantage of a validation gap between the Verus and the Ethereum sides of the bridge, that let the bridge release funds without properly verifying backing on the Verus side. That allowed a hacker to fraudulently transfer out in digital assets. This resulted in roughly $11.58 million being drained in a matter of minutes.

Outflow  in the DeFi ecosystem

These hack incidents however matter a lot as they directly affect investor confidence and the pace traditional institutions may enter the DeFi environment. They have triggered a sharp pull back in investors capital and raised fresh questions over the resilience of the blockchain based financial system.

These hacks created fear across the crypto market and triggered massive outflows from risky DeFi projects according to Binance Research. According to them  total value locked in DeFi fell by 10.7% in one month, following the two major hacking incidents in April. The sector now holds around $86 billion from just under $100 billion. The outflow came from pools with no direct exposure to compromised assets, according to JPMorgan analysts.

Weighing on institutional appetite

These repeated hack incidents matters because it directly affects investor confidence and the pace of institutional money entering DeFi protocols. According to an April report from JPMorgan bridge security remains a great challenge for the traditional finance industry,  that have increasingly embraced DeFi, raising questions on whether DeFi can support further institutional adoption. These repeated bridge exploits and shrinking yields are making institutions question whether DeFi’s risks still justify the returns.

DeFi and Security vulnerabilities

The string of breaches highlights ongoing security risks across the DeFi sector. These hacker attack and exploit-related incidents have exposed critical vulnerabilities in DeFi,  across interconnected platforms, underscoring how quickly treats are evolving in decentralised finance and the broader blockchain system. The strong interdependence between protocols, bridges, and oracles, suggest a heightened risk landscape for the crypto industry.  Because many projects reuse existing codes, vulnerabilities spread faster through the ecosystem.

Common vulnerabilities across the DeFi industry that lead to such securities breaches include access control vulnerabilities, smart contract laws. a lack of regulatory auditing, outdated two-factor authentication systems and third-party service flaws. At the same time, the interconnectedness of protocols makes attacks harder to manage. These hacks, spanning flawed smart contract logic, cross-chain bridge vulnerabilities, and compromised keys, highlight persistent risks in decentralized finance.

Cross-chain bridge vulnerabilities

The DeFi system has become too interconnected and complex to trace, exposing a crucial systemic vulnerability that the industry has yet to resolve fully. The causes of the hacks revealed that the biggest risks are increasingly tied to bridges, privileged access and operational failures, rather than simple smart contract bugs alone. These hacks have triggered  mounting concerns surrounding bridge and interoperability across the DeFi sector.

Cross chain bridges remain high value targets due to their interconnected design and expanded exposure across multiple networks. A bridge can depend on various layers. A weakness in anyone of those layers can create a path for attackers. Because DeFi relief on composability, where one protocol build on top of another, a single logic error in a core adapter can lead to cascading failures across the entire ecosystem.

Hackers exploit the inherent complexity of bridge architecture and smart contract vulnerabilities, creating  complex validation requirements. Exploiters need only compromise the bridge’s verification mechanism to gain access to pooled liquidity. Many of the largest losses have originated off-chain from operational failure, including compromised private keys, phishing, social engineering and broken bridge logic. This allows attackers to rapidly move stolen assets across network, laundering them through various protocols and making recovery exponentially harder.

Fundamentally changing hack landscape

The hack landscape is radically changing. Whereas DeFi used to be mainly affected by many smaller hacks, large exploits now cause the majority of the damage. Thereby the way hackers work has fundamentally changed. What has shifted is the “sophistication of the attacks. Attackers are focusing more on infrastructure weaknesses, messaging systems and validation gaps between chains

DeFi exploits no longer seem to be improvised operations by individual actors, but truly highly specialized activities. Attackers have shifted their focus from hunting straightforward code vulnerabilities in smart contract code to social engineering, compromised infrastructure, and cross-chain messaging exploits. Attackers in fact thereby use automated tools, advanced smart contract analysis and sophisticated cross-chain movements to maximize profits and complicate tracking.

• Social engineering

The methods behind April’s hacks have essentially changed and are drawing attention on their own. This is marking a fundamental shift away from code-based exploits towards human targeting. Social engineering, private-key compromises and phishing are the single most damaging category in 2026.  Attackers such as those in the DriftProtocol incident thereby used long run social engineering compromise governance, to target humans with access to admin keys, thereby mixing malware-as-a-service, fake video calls, and impersonation.

Impersonation scams surged 1.400% year-over-year in 2026, making social engineering one of the fastest growing crypto threat vectors. Flash loan and price manipulation attacks were thereby the most frequent exploit types, while contract vulnerabilities were the second most common attack type.

• More sophisticated technologies

April’s spike in crypto exploits reflects a shift toward more sophisticated, multi-stage attacks targeting offchain infrastructure rather than smart contract vulnerabilities. Unlike previous years that focused solely on code bugs, this surge in exploits and hacks  is attributed to more sophisticated techniques. These entry points include compromised remote procedure call (RPC) nodes and  breaches of cloud key management systems campaigns.

• Artificial intelligence

Evolving technologies such as artificial intelligence increase the sophistication of cyber attacks. AI-assisted hacking is no longer a distant threat for crypto. Hackers are getting better at scanning software for weaknesses and quickly designing exploits, with the help of widely available AI models, making existing weaknesses easier to identify and exploit.

Hackers may have used AI to help with elements like planning and design, thereby significantly reduce the time needed to identify vulnerabilities. The rise of AI is allowing for unprecedented scale and execution speed in creating real-time deepfakes, phishing attacks, social engineering, supply chain compromises and cross-chain vulnerabilities, much ahead of the DeFi ecosystem’s response capacity.

Regulatory scrutiny

Regulatory scrutiny is also intensifying, particularly around consumer protection and transparency requirements. The coming quarters will test whether DeFi projects adopt more rigorous standards or face further capital flight. Scenarios range from accelerated self-regulation within the industry to more prescriptive oversight in major jurisdictions. Industry-led frameworks may emerge as a middle path between innovation and oversight. Regulatory discussions are likely to intensify, whereby issues like oversight, investor protections, transparency requirements and the role of developers remain key points of debate.  Regulators are expected to focus on disclosure standards and reserve requirements.

Policymakers in the US and elsewhere are advancing proposals to establish clearer frameworks for crypto markets, including how decentralised platforms interact with more traditional, centralised entities.

JP Morgan report

These repeated bridge exploits and shrinking yields are making institutions question whether DeFi’s risks still justify the returns. In an April report JPMorgan said that bridge security remains a challenge for the industry, raising questions on whether DeFi can support further institutional adoption. This directly affects investor confidence and the pace of institutional money entering DeFi protocols. Security exploits are weighing on institutional appetite for DeFi even as broader crypto adoption continues through stablecoins and tokenised assets.

Still, institutions may get into DeFi, but the terms on which they arrive, including full know-your customer checks, custodial controls and tokens that can be frozen at any time,  could reshape it into something that looks a lot more like traditional finance than the open, permissionless system its builders envision.

Building security bridges: Security no longer optional

Security in DeFi continues to lag behind the growing complexity of protocols. The urgency to respond hacking is increasing. Protocols need continuous cross-chain monitoring, independent verifiers, realistic incident grills band infrastructure reviews that treat off-chain components as part of the product rather than back-office plumbing.

It has forced many DeFi platforms to reconsider the open and permissionless systems that once defined the industry. Developers, auditors, and platforms are now under growing pressure to move beyond traditional audits toward real-time threat detection, hardened governance, and decentralized security primitives. DeFi is increasingly moving toward measures such as permissioned access, tighter governance structures, enhanced monitoring systems, and stronger operational controls.

The DeFi industry is at a crossroads where the adoption of formal verification and standardized security frameworks is no longer optional. Pressure on existing security models within DeFi is growing to strengthen their defences via tighter controls and oversight. Industry analysts say the growing involvement of traditional financial institutions in blockchain-based finance is accelerating this trend.

The DeFi market is reacting

The DeFi market is reacting gradually. Proactive security measures, such as formal verification and “flash-loan resistant” architectures, are thereby seen as the only effective defence against permanent capital loss. Emergency controls need clear governance before the emergency arrives. Bridges need multiple independent checks by default.

The industry already has come with various recommendations to make the DeFi industry safer, including refining code security, collateral risk management, oracle mechanisms, liquidation logic, and governance systems. Other recommendations include stricter payload validation, layered verification protections, and emergency pause mechanisms fo unusual outbound transfers. Others argue for bringing traditional insurers into the fold to tackle operational and custody risks off-chain.

Some teams are embedding insurance directly into DeFi products so cover is automatic rather than optional. Cross chain proof systems thereby directly tie transfer execution to authenticated payload data before funds are released. While others are installing software that continuously scans multiple devices connected to a network and alert managers to suspicious patterns, or are expanding its risk framework for collateral to include cybersecurity factors

Forward Looking: is there a future for DeFi?

What does this all mean for interest of traditional financial institutions in DeFi activities?

The core challenge is still there: DeFi’s risk profile is complex and quickly evolving and the insurance industry still lacks robust tools and standards to price it. Though current practices remain insufficient for handling institutional-scale capital, past incidents have prompted incremental improvements to reduce the various vulnerabilities and create a maturing DeFi industry, which industry growth to remain on track.

Without that infrastructure, institutions that do come in will do so on their own terms, demanding full know-your-customer checks, custodial controls and tokens that can be frozen at any time. By doing that the open, permissionless architecture that made DeFi worth building gets stripped to satisfy compliance requirements.