In April 2026, Kelp DAO was hacked for $292 million. The attacker used uncollateralized tokens to borrow real assets on Aave, resulting in over $200 million in bad debt in just 46 minutes.

This was just one of many hacks this year, with Drift hacked for $285 million, Step Finance for around $30 million, Resolv Labs for around $23 million. News of hacks kept coming one after another, with the industry barely having time to react before the next project was hacked.

Is there a pattern behind these events? How do hackers attack protocols?

This article reviews the 20 most representative historical and recent hack cases, attempting to find answers.

Based on the 20 cases we compiled, three clear patterns can be seen:

· Most cases involve technical vulnerabilities, but the individual losses are relatively limited; incidents of permission and social engineering attacks are fewer but contribute the vast majority of the total loss.

· The scale of permission-based attacks is escalating. In the 20 cases, the four largest loss events all involved the hand of North Korean hackers.

· The battlefield of technical vulnerabilities is shifting, and cross-chain bridges have never been secure.

I. Top 10 Projects with the Largest Hacked Amounts

1. Project Name: Bybit (Hacked Amount: $1.5B | Time: February 2025)

Hack Reason:

The North Korean hacker group Lazarus Group (FBI and ZachXBT high-confidence attribution, operation codenamed "TraderTraitor") hacked Bybit's Safe Wallet's multi-signature mechanism through front-end UI hijacking + multi-signature fraud.

The attackers first infiltrated the core developers' devices at Bybit, injected malicious JavaScript code into the wallet's front end. When the multi-signature holders (6 signers) executed a routine cold wallet transfer, the UI displayed the correct receiving address and amount, but the underlying Call Data was tampered with, redirecting 401,000 ETH to the attacker's address. Under the deception of "out of sight, out of mind," 3 out of the 6 signers approved the transaction, and the funds were lost instantly.

Root Cause: The multi-signature relied on human-machine interaction, and the frontend's failure to independently verify led to a breakdown in mathematical security; Tether froze the related USDT within hours, while Circle delayed freezing USDC for 24 hours, exacerbating the loss. This event exposed the deadly threat of social engineering and UI attacks on centralized exchanges, leading to the emergence of transaction validation networks like Safenet.

This event bears a striking resemblance to the Drift Protocol incident in April 2026 ($285M): targeted social engineering to build trust, followed by UI/signing fraud, signaling a shift for hackers from contract vulnerabilities to "human-machine weaknesses."

In the aftermath, Bybit promptly utilized its own funds to fully compensate for all losses, ensuring zero losses for users, and the platform is currently running smoothly.

2. Project Name: Ronin Network (Stolen Amount: $624M | Date: March 2022)

Theft Reason:

The North Korean hacker group Lazarus Group successfully took full control of the validation node's private keys through social engineering and backdoor means.

The attackers breached the internal systems of Sky Mavis and exploited a backdoor in the gas-free RPC node to control 5 out of 9 validation nodes (including 4 Sky Mavis nodes and 1 Axie DAO node). They then crafted two fraudulent withdrawal transactions, illegally extracting 173,600 ETH and 25.5M USDC.

The fundamental reason for this incident lies in the design of the cross-chain bridge, where validation power is highly concentrated in a few nodes. With the threshold of 5 signatures out of 9 nodes required to complete operations, it proved practically futile in the face of targeted social engineering attacks.

3. Project Name: Poly Network (Stolen Amount: $611M | Date: August 2021)

Theft Reason:

The core reason for the Poly Network hack was a severe vulnerability in the permission management design of the cross-chain contract.

The attacker exploited the relationship between the EthCrossChainManager and EthCrossChainData, two high-privilege contracts, to forge an executable function call.

Due to the EthCrossChainManager having the permission to modify the Keeper's public key and the _method parameter used in the call being customizable by the user, the attacker successfully exploited a hash collision to call the putCurEpochConPubKeyBytes function, which was originally intended to be executed only by high-privileged accounts.

As a result, the attacker replaced their public key with the legitimate manager's public key, gained control of cross-chain assets, and ultimately withdrew funds from multiple chains.

4. Project Name: Wormhole (Amount Stolen: $326M | Date: February 2022)

Reason for the Theft:

Normally, when a user wants to transfer assets from one chain to another, the system must first confirm that the assets have indeed been deposited and the related signatures are indeed genuine and valid. Only then will the corresponding assets be generated on the other chain.

The issue with Wormhole lies in the "signature verification" step. Wormhole's code used an outdated and insecure function to check if a transaction is valid. This function was originally intended to confirm whether the signature verification was completed at the system level. However, its checks were not rigorous, providing an opportunity for attackers.

Exploiting this vulnerability, the attacker forged a set of information that appeared to have already been "verified," tricking the system into believing that the cross-chain operation was genuine. In other words, the system should have first confirmed whether the money had indeed been locked in, but because the verification step was bypassed, the system directly trusted the false proof submitted by the attacker.

Consequently, the attacker minted a large amount of wETH out of thin air without actually depositing sufficient assets. After generating these assets, they were further withdrawn and exchanged, resulting in a loss of approximately $326 million for Wormhole.

5. Project Name: Drift Protocol (Amount Stolen: $285M | Date: April 2026)

Reason for the Theft:

The DPRK hacker group engaged in a six-month targeted infiltration, combining it with the Solana Durable Nonce presign scam to execute the attack.

Starting from the fall of 2025, attackers masqueraded as a quant trading firm, establishing offline trust with Drift contributors at multiple international crypto conferences and investing over a million dollars into the Ecosystem Vault to build credibility. Once trust was gained, the attackers induced Security Council members to pre-sign multiple transactions that appeared harmless: leveraging Solana's Durable Nonce mechanism to conceal ownership transfer instructions. Meanwhile, Drift had just completed the migration to instant finality multi-sig, eliminating the window for post-execution detection and intervention.

After gaining control of the protocol, the attackers minted a fake token called CVT with only a few hundred dollars in real liquidity, created a price illusion through wash trading, and then deposited 500 million CVT as collateral into the protocol, borrowing 285 million USDC, SOL, and ETH. The entire execution phase lasted only 12 minutes.

Drift's official attribution, along with the SEAL 911 security team, classified this attack with "medium to high confidence" as being linked to a DPRK-affiliated group (a North Korea-backed hacking organization). The actual executors were not citizens of North Korea but third-party intermediaries controlled by them who facilitated offline contact.

6. Project Name: WazirX (Stolen Amount: $235M | Date: July 2024)

Attack Vector:

The core of this attack lies in the gradual compromise of a multi-sig wallet, eventually swapped with a malicious contract.

The attackers initially gained partial signers' permissions through phishing and other means (including direct compromises and induced signatures). Building upon this, they misled other signers through a forged interface, resulting in their unwitting approval of malicious transactions.

Upon collecting enough signatures, the attackers did not directly transfer the assets. Instead, they utilized the multi-sig wallet's upgradability mechanism to execute a contract upgrade, replacing the original implementation contract with their deployed malicious contract.

Once this malicious contract was set with new execution logic, all subsequent transactions were redirected, continuously siphoning funds to the attackers' address. Eventually, full control of the multi-sig wallet was seized, and on-chain assets were progressively drained.

7. Project Name: Cetus (Stolen Amount: $223M | Date: May 2025)

Reason for Theft:

This attack originated from an arithmetic overflow vulnerability in the protocol's liquidity calculation.

Specifically, Cetus had a boundary check error in the mathematical functions used for handling large number calculations. When a value reached the critical point, the system failed to recognize an upcoming overflow, continued with the calculation, and resulted in abnormally amplified outcomes.

The attacker constructed a series of operations around this:

First, they created extreme price conditions through large transactions, then established liquidity positions in a specific range, depositing only a minimal amount of assets (dust level). Under these conditions, the overflow issue in the contract was triggered, causing the system to erroneously believe the attacker should receive a liquidity share far greater than the actual input.

Subsequently, the attacker used these amplified shares to execute liquidity removal operations, extracting a significantly larger amount of assets from the pool than initially deposited. This entire process could be repeated, continually draining the pool of funds and resulting in significant losses.

8. Project Name: Gala Games (Amount Stolen: $216M | Date: May 2024)

Reason for Theft:

The core of this attack revolved around the compromise of a high-privilege minting account's private key due to ineffective access controls.

While Gala's contract itself had permission restrictions on the mint function, one of the accounts holding minting privileges (minter account) had its private key compromised by the attacker. This account had remained unused for an extended period but retained full high privileges.

Upon gaining control of this account, the attacker directly called the contract's minting function, minting approximately 5 billion GALA tokens and transferring them to a personal address. Subsequently, the attacker gradually exchanged these tokens on the market for ETH, liquidating the assets.

No smart contract vulnerabilities were exploited throughout the entire process; instead, malicious actions were carried out directly through legitimate privileges.

9. Project Name: Mixin Network (Amount Stolen: $200M | Date: September 2023)

Reason for Theft:

The crux of this attack was that Mixin stored the private keys in a centrally managed cloud database.

Mixin Network claims to be maintained by 35 mainnet nodes, supporting cross-chain transfers for 48 blockchains. However, its hot wallet and the private keys of numerous deposit addresses are stored in a "recoverable manner" in a third-party cloud service provider's database. In the early hours of September 23, 2023, an attacker breached this database and extracted these private keys in bulk.

Upon obtaining the private keys, the attacker did not need to crack any smart contract logic but could directly initiate transfers with legitimate signatures. On-chain records show that the attacker systematically emptied addresses in descending order of balance, involving over 10,000 transactions over several hours. The primary assets affected included approximately $95.3 million in ETH, $23.7 million in BTC, and $23.6 million in USDT, with the USDT promptly exchanged for DAI to evade freezing.

10. Project Name: Euler Finance (Amount Stolen: $197M | Date: March 2023)

Theft Cause:

The core of this attack lies in inconsistencies in the protocol's internal asset and liability calculation logic, which were heavily exploited through a flash loan.

Specifically, Euler's DonateToReserve function, when executed, only destroyed the eToken representing the collateral asset, without synchronously destroying the dToken representing the debt, breaking the correspondence between "collateral" and "liability" in the system.

In this scenario, the protocol mistakenly perceived a reduction in collateral assets, a change in the debt structure, leading to an abnormal asset state.

The attacker constructed a complete set of operations around this:

By first borrowing a large sum through a flash loan, the attacker performed deposits and borrowings within the protocol, continually adjusting the quantity relationship between eToken and dToken. Exploiting the aforementioned logic flaw, the system consistently produced incorrect asset/liability states, thereby obtaining a borrowing limit exceeding the actual collateral capability.

After gaining disproportionately increased borrowing capacity, the attacker then withdrew funds in batches, completing transfers using various assets (DAI, USDC, stETH, wBTC). The entire process occurred in a single transaction and amplified gains through multiple operations, ultimately resulting in a loss of approximately $197 million.

II. Recent Theft Incidents of 10 Projects

1. Project Name: Hyperbridge (Stolen Amount: Approximately $2.5 million, April 2026)

Reason for the Theft:

The core of this event was a vulnerability in the Token Gateway's proof verification logic.

The attacker exploited a flaw in the input validation of the MMR (Merkle Mountain Range) proof, forging a cross-chain proof that should have been rejected. Due to a system error that incorrectly treated this invalid proof as valid, the attacker gained control of the Ethereum bridged DOT contract and minted approximately 1 billion counterfeit bridged DOT, which was then dumped on a DEX.

Furthermore, the attack affected DOT pools on Ethereum, Avalanche, BNB Chain, and Arbitrum. The initial estimated loss of about $237,000 was later revised to around $2.5 million.

2. Project Name: Venus Protocol (Stolen Amount: Approximately $3.7 to $5 million, March 2026)

Reason for the Theft:

The core of this attack was the ability to bypass supply cap validation and manipulate the exchange rate calculation logic.

Specifically, Venus calculated the market funds by directly reading the actual balance from the contract using balanceOf(), while the supply cap check was only performed during the mint() process.

The attacker bypassed the mint() process by transferring underlying assets (via ERC-20 transfer) directly to the vToken contract, circumventing the supply cap validation.

As these funds were accounted for in the contract balance, the system believed the pool's assets had increased when calculating the exchange rate, even though the corresponding vToken amount had not increased, causing the exchange rate to be artificially inflated.

In this scenario, the attacker's original collateral value was magnified, granting them significantly more borrowing power than they actually possessed.

Subsequently, the attacker leveraged this inflated collateral value to engage in a cycle of borrowing, price pumping, and further borrowing, extracting various assets from the protocol and resulting in approximately a $5 million loss.

3. Project Name: Resolv Labs (Amount Stolen: Approximately $23-25 million, March 2026)

Theft Reason:

The core of this attack was the compromise of a crucial signing key and the lack of an upper limit check for minting on the on-chain contract.

Resolv's USR minting process relies on an off-chain service: users submit a request, which is then signed by a system holding a privileged key (SERVICE_ROLE), and finally the minting is executed by the contract.

However, the contract only checks for "signature validity" and does not verify the "reasonableness of the minted amount," nor does it have a collateral ratio, a price oracle, or a maximum minting restriction.

The attacker breached the project's cloud infrastructure, obtained this signing key, and was able to generate valid signatures.

Having the signing authority, the attacker used a small amount of USDC (around $100,000–200,000) as input, faked the parameters, and directly minted around 80 million USR without any collateral backing.

Subsequently, these uncollateralized USR tokens were rapidly exchanged for other stablecoins and ultimately converted to ETH. The funds were gradually withdrawn, while a significant increase in the token supply caused the USR price to quickly deviate from its peg.

4. Project Name: Saga (Amount Stolen: Approximately $7 million, January 2026)

Theft Reason:

The core of this attack was a flaw in the EVM precompile bridge's validation logic.

SagaEVM used an EVM implementation based on Ethermint, and the code contained an undiscovered vulnerability that affected the transaction verification logic of the cross-chain bridge.

By crafting specific transactions, the attacker bypassed the bridge's checks for "whether the collateral asset has been deposited" and "the stablecoin's supply limit."

In the absence of the verified conditions, the system treated these forged messages as legitimate cross-chain operations and proceeded to mint the corresponding amount of stablecoins. With no real collateral backing, the attacker could mint a large amount of stablecoins at no cost and exchange them for the protocol's real assets.

Ultimately, the protocol funds were continuously drained, the stablecoin was unpegged, and about $7 million in assets were transferred out.

5. Project Name: Solv (Stolen Amount: Approximately $2.5 million, March 2026)

Theft Reason:

The core of this attack revolved around a double-minting vulnerability in the BRO Vault contract (triggered by reentrancy).

Specifically, when the contract received ERC-3525 assets, it would call doSafeTransferIn, and ERC-3525, based on ERC-721, would trigger the onERC721Received callback during the secure transfer process.

In this process, the contract minted once in the main flow and triggered another mint operation in the callback function.

Since the callback occurred before the first mint was fully completed, the attacker could trigger two minting operations in a single deposit, creating a typical reentrancy path. By repeatedly exploiting this vulnerability, the attacker amplified a small amount of assets into a large amount of BRO, exchanged it for SolvBTC, and transferred out.

6. Project Name: Aave (Indirectly Affected, Estimated Bad Debt Exposure of Approximately $177 million to $236 million, April 2026)

Theft Reason:

The direct vulnerability in this incident was not in Aave, but stemmed from the failure of the cross-chain bridge verification mechanism of Kelp DAO.

The attacker sent a forged message to the LayerZero-based cross-chain bridge, causing the system to erroneously release and mint about 116,500 rsETH without actual ETH deposits. These rsETH had no real asset backing but were used as regular collateral in the system.

Subsequently, the attacker deposited these uncollateralized rsETH into Aave as collateral and borrowed a significant amount of real assets (WETH). Due to Aave's parameter settings allowing large-scale collateralization and borrowing, the attacker quickly borrowed and transferred out funds.

The end result: The attacker shifted the risk to Aave through the "fake collateral → borrow real assets" method, leading to a significant bad debt situation.

7. Project Name: YieldBlox (Stolen Amount: Approximately $10.2 million, February 2026)

Reason for the Theft:

The core of this attack lies in the ability to manipulate the oracle price through a single transaction (low liquidity + VWAP mechanism).

Prior to the attack, the USTRY/USDC trading pair had almost no liquidity, and there were no normal trades within the oracle price window. The Reflector oracle used by YieldBlox is based on VWAP (Volume-Weighted Average Price). In this scenario, a single transaction can determine the price.

The attacker first placed an extreme price (around 500 USDC per USTRY) and then used another account to execute a trade with a very small volume (only about 0.05 USTRY), successfully pushing the oracle price up to around $106.

After the price was inflated, the USTRY held by the attacker was considered high-value collateral by the system, granting them a borrowing limit far exceeding its actual value. Subsequently, the attacker borrowed all the assets in the pool (XLM and USDC) and completed the fund withdrawal.

8. Project Name: Step Finance (Stolen Amount: Approximately $30 million to $40 million, January 2026)

Reason for the Theft:

The core of this attack lies in the compromise of a project core team member's device, leading to a breach of private keys or the signature process.

The attacker gained access to the project's control wallet by compromising a key team member's device. This access may have involved directly obtaining the private keys or interfering with transaction signing processes through the implantation of malicious software, enabling the attacker to approve malicious transactions without the knowledge of the team.

Upon gaining control, the attacker operated on multiple Solana wallets controlled by the project, including unstaking assets and transferring funds. There were no smart contract vulnerabilities exploited throughout the process; instead, the attacker directly utilized the acquired wallet permissions to facilitate the fund movement.

Ultimately, a significant amount of the project's funds were transferred out, resulting in approximately a $30-40 million loss and a substantial drop in token price.

9. Project Name: Truebit (Stolen Amount: Approximately $26 million, January 2026)

Incident Cause:

The core of this attack was an integer overflow vulnerability in the TRU purchase pricing function.

During the price calculation in buyTRU(), which involves multiple large number multiplications and additions, the contract was compiled using Solidity 0.6.10, which does not have overflow checks enabled by default.

When the attacker passed in a specific large parameter, an overflow occurred in intermediate calculations, causing the value to wrap around and resulting in the final purchase price being abnormally reduced, even to 0.

In this scenario, the attacker was able to buy a large amount of TRU at a very low or even zero cost.

Meanwhile, the protocol's sell logic (sellTRU()) continued to calculate based on normal rules, allowing for proportional exchange of the ETH reserve in the contract.

The attacker then proceeded with the following steps:

Low/zero-price purchase of TRU → Selling at the normal price → Withdrawing ETH

Through multiple rounds of operations continuously draining funds from the protocol, approximately $26 million in losses were incurred.

10. Project Name: Makina (Amount Stolen: Approximately $4.1 million, January 2026)

Incident Cause:

The core of this attack was relying on external Curve pool data for AUM/sharePrice calculation without proper validation, which was manipulated through a flash loan.

The attacker borrowed a significant amount via a flash loan, temporarily injected liquidity into multiple Curve pools, and conducted trades to artificially alter the pool's state and related calculation results (such as LP value, withdraw calculations, etc.).

These manipulated data were directly used by the protocol for AUM (Assets Under Management) calculation, further impacting the sharePrice.

Due to the lack of effective validation or time-weighted processing of external data, the system treated this abnormal data as authentic, resulting in:

· AUM being significantly inflated

· sharePrice being disproportionately amplified

After the sharePrice was artificially inflated, the attacker conducted an arbitrage attack to swap out assets in the DUSD/USDC pool, thereby profiting from the price difference.

III. 20 Common Patterns and Insights from Theft Incidents

From these 20 incidents, we can actually see an increasingly clear trend: there are ultimately only two paths for hackers to steal large amounts of assets: technical vulnerabilities and social engineering.

1. Technical Vulnerabilities: Looking at the timeline of technical vulnerability cases, a clear migration path can be seen.

Early technical vulnerabilities were highly concentrated in cross-chain bridges. During that phase, cross-chain bridges were the infrastructure of DeFi that expanded the fastest, had the newest code, and underwent the weakest audits. They carried a large amount of assets but had not yet been vigorously tested.

Subsequently, the industry began to focus on the security of cross-chain bridges, and verification mechanisms were generally strengthened, leading to a significant decrease in large-scale cross-chain bridge vulnerabilities. However, the vulnerabilities did not disappear; they simply moved to a different place—shifting to the mathematical logic, oracle design, and third-party library dependencies within DeFi protocols.

· Cetus: Mathematical library boundary condition error,

· Truebit: Integer overflow in the old compiler,

· YieldBlox: Overreliance of the oracle on low liquidity markets.

At the core of this is only one thing: the attack surface always follows the assets, the novelty of the code, and the audit coverage blind spots. A certain type of infrastructure is heavily attacked, the industry begins to focus on it, defenses are strengthened, and then attackers move to the next fastest-growing, most vulnerable area.

2. Social Engineering: Among these 20 theft cases, 4 have been confirmed or highly attributed to the North Korean state hacker groups—Ronin, WazirX, Bybit, Drift—resulting in a total loss of over $2.5 billion.

According to Chainalysis data, North Korea-associated hacker groups stole over $2 billion in crypto assets in 2025 alone, accounting for nearly 60% of the total global crypto theft that year. Compared to 2024, North Korean hacker attacks decreased by 74%, but the average amount stolen per attack increased significantly.

The tactics of North Korean hackers continue to escalate, from direct intrusions into internal systems during the Ronin era, to supply chain attacks on Bybit, and further to six months of offline penetration by Drift, each time finding new ways beyond existing defenses.

Of greater concern, North Korean hackers have also been widely infiltrating the global cryptocurrency industry by posing as developers. Once inside the target company, these individuals familiarize themselves with the internal system architecture, gain access to the codebase, and stealthily implant backdoors into the production code.

The scope of the theft is expanding: In earlier theft events, the impact was mostly limited to the protocol itself. However, as DeFi's composability deepens, the impact of a single breach begins to spread outward.

· Drift: Following the theft, at least 20 protocols relying on its liquidity or strategy experienced interruptions, pauses, or direct losses, with Carrot Protocol seeing a 50% TVL impact.

· Aave: The Aave contract itself was completely fine, but simply accepting Kelp DAO's rsETH as collateral led to a direct propagation of bad debt risk due to a failure in an external bridge validation.

These patterns ultimately point to one reality: Depositing assets into a protocol entails trusting not only the code of that protocol but also every external asset it relies on, every third-party service, and the judgment and operational security of the few individuals with administrative permissions.

Recently, theft news has been coming one after another. Polymarket launched a market this month asking, "Have there been any crypto projects stolen over 100 million this year?" but the market settled in less than a month. This is not coincidental. As the scale of DeFi assets grows and interdependence between protocols deepens, the ability to safeguard these assets has not kept pace with this rate of expansion.

The pressure for security has not eased, yet the dimensions of threats are increasing. In April 2026, Anthropic's Claude Mythos Preview found thousands of critical vulnerabilities in every mainstream operating system and browser during testing, capable of transforming 72% of known vulnerabilities into exploitable attack paths.

Once this capability is systematically applied to scan smart contracts, vulnerabilities in the DeFi industry will be discovered and exploited at an unprecedented speed. At the same time, project teams can proactively leverage this tool for self-assessment, identify and remediate potential risks early, and further enhance their security defenses.

For regular users, these cases offer several direct insights:

1. Avoid concentrating assets in a single protocol. While diversification cannot eliminate risk entirely, it can help control the upper limit of a single loss.

2. Maintain Distance from New Protocols. Most technical vulnerabilities are discovered early after the protocol launches. A protocol that has been running for two years, undergone multiple audits, and real-world stress tests is much safer than a protocol that offers high yields right after launch.

3. Whether the Protocol is Truly Profitable. Looking at a protocol's ability to make money, it only has real compensation capabilities when losses occur. Protocols that rely on token incentives to function and do not have real revenue streams themselves often resort to solutions such as minting new tokens or making empty promises when things go wrong.

A truly mature financial infrastructure does not let security always take a back seat to growth metrics. Until that day comes, news of hacks will not cease.