April 2026 was the worst month for crypto security so far this year. Cointelegraph's monthly tally puts losses at over $635 million across 28 separate incidents, a sharp escalation from the slower opening months of the year. The figure was published on May 9, 2026, citing data compiled from on-chain forensics firms and protocol disclosures.
The headline number lands at an awkward moment. Markets are stable, with BTC at $80,386 (+1.0% over 24 hours) and ETH at $2,314 as of May 9, 2026, and the Fear and Greed index sits at a neutral 50. There is no panic in price action, but the security trend underneath is moving the wrong way.
A Month Defined by a Single Outlier
A handful of large incidents drove most of the dollar damage, with the KelpDAO rsETH exploit absorbing a disproportionate share. Aave subsequently froze rsETH markets, liquidated the attacker's collateral, and recovered roughly 90% of the bad debt, but the gross attack size still pushed April's total well past March.
The pattern is familiar. One or two large incidents tend to dominate a month's headline figure, and the long tail of smaller exploits adds incremental losses across access-control bugs, signature replay attacks, phishing of operations staff, and wallet drainers targeting individuals. Twenty-eight incidents in thirty days works out to almost one a day, even before unreported ones.
The Money Went to Three Buckets
Most of the April losses cluster in three buckets. Smart contract bugs in lending and liquid staking protocols account for the largest share, with the rsETH collateral mispricing being the clearest example. Access-control failures, where an admin key, multisig signer, or upgrade proxy was compromised, sit second. Drainer kits and phishing aimed at retail wallets fill out the rest.
Cross-chain bridges, historically the largest single category in past years, were quieter in April. That is partly because surviving bridges have hardened their designs and partly because the riskiest ones have already been drained or shut down.
DPRK-linked actors continued to surface in attribution work. Drift's $295 million incident, for which the protocol later published a recovery plan, is an earlier example of how state-aligned groups now operate with industrial scale and persistent infrastructure. Aave separately asked a court to block a $71 million crypto seizure tied to North Korea claims, a sign that legal and forensic processes around stolen funds are getting more contested.
Three Factors Behind April's Spike
Three factors plausibly contributed to the worse month. First, several DeFi protocols pushed new collateral types and integrations live in late Q1, expanding the attack surface before audits and economic safety reviews caught up. The KelpDAO situation fits that pattern. Second, on-chain activity has been climbing as tokenized assets and stablecoin volume grow, which raises the absolute value sitting in any given contract. Third, the attackers themselves have been investing in tooling, with several reused exploit primitives showing up across unrelated protocols within days.
None of these factors look temporary. The base rate of incidents has been creeping up across 2026, and the dollar value at risk per protocol keeps rising as TVL recovers.
Practical Implications for Users
Self-custody users carry more of the risk burden in months like April. A few habits matter more than usual right now. Treat any unfamiliar dApp connection as suspicious, especially fresh deployments asking for token approvals on stablecoins or staked assets. Revoke old approvals on a regular cadence. For balances you are not actively using, move them to a hardware wallet rather than leaving them in a hot wallet that has signed into dozens of dApps over the past year.
For card users, the relevant exposure is different. Custodial card programs concentrate user balances at the issuer, which makes the issuer's security posture and reserve practices the relevant question rather than smart contract risk. Self-custodial card products like self-custody options that spend directly from a user-controlled wallet shift the trust assumption, but they also push smart contract and signing risk onto the user. Neither model is automatically safer in a month like April. Both require discipline.
For protocols, the case for slower listing standards keeps getting stronger. Aave's overhaul of its collateral and listing process after the KelpDAO incident is the most concrete response so far, and other lending venues will face pressure to follow.
Overview
Crypto security losses for April 2026 totaled more than $635 million across 28 incidents, the worst month of the year so far per Cointelegraph's tally posted May 9, 2026. The KelpDAO rsETH exploit drove much of the dollar damage, with Aave recovering roughly 90% of the resulting bad debt. Smart contract bugs and access-control failures dominated the attack mix, while DPRK-linked groups remained active in larger incidents. The trend through 2026 has been gradually upward, and the practical takeaway for users is to tighten approval hygiene and rethink where idle balances actually sit.
