Crypto Platforms Have Now Lost Over $605 Million to Cyberattacks in Under 20 Days

Kelp DAO, about $292 million

Kelp DAO was the biggest hit of the period. An attacker forged the cross-chain message path that let 116,500 rsETH move without real backing, according to DefiPrime’s reconstruction. Kelp said it had detected suspicious cross-chain activity involving rsETH and paused contracts across mainnet and multiple layer-2 networks.

The damage spread fast because rsETH was already integrated across other DeFi venues. Once the attacker had the tokens, they were pushed into lending protocols as collateral and turned into borrowed ETH. That is what bridge risk looks like when the rest of DeFi is stacked on top of it.

Drift Protocol, about $285 million

Drift Protocol was the other giant hole in the total. Chainalysis and TRM Labs said the attackers spent weeks building trust, then used Solana durable nonces to get Security Council signers to pre-sign malicious admin actions.

The attackers then whitelisted a fake asset called CarbonVote Token as collateral, gave it a manufactured price path, and drained real assets including USDC and JLP. This was not a code failure first. This was an access-control failure that let the system’s own permissions become the weapon.

Grinex, about $13.1 million

Grinex added another roughly $13.1 million to the count. Reuters reported that the Russia-linked exchange said more than 1 billion rubles were stolen in a cyberattack and that operations were suspended.

That figure is one reason the cleanest framing here is still “over $605 million.” Some trackers placed the movement somewhat higher, but the disclosed exchange figure alone is enough to keep the broader total above the threshold.

Rhea Finance, about $7.6 million

Rhea Finance was initially reported at about $7.6 million, with Halborn’s breakdown describing fake token contracts and oracle manipulation. The protocol accepted false pricing inputs as real ones and let the attacker route value out through manipulated pools.

Some assets were later returned and some USDT was frozen, but that does not erase the underlying failure. The important point is that an oracle and validation stack still buckled under fake inputs in a live market.

Hyperbridge, about $2.5 million

Hyperbridge first disclosed a smaller realized loss, but later accounting widened the picture. Its official security update said forged proofs gave the attacker control of the bridged DOT token contract on Ethereum, and a later Polkadot forum update put confirmed realized losses across multiple chains at about $2.5 million.

This was another bridge failure with a familiar shape. A false cross-chain message was treated as legitimate, and the system minted or released value it had no business touching.

Dango, about $1.9 million gross

Dango showed how a basic logic bug can still open a seven-figure hole. A KuCoin summary citing the team said the insurance fund accepted donations without properly checking that the amount was positive, letting an attacker drain roughly $1.9 million in USDC.

Built-in bridge rate limits trapped much of the money on-chain, and the white hat later returned the full amount. The recovery is good for users. The existence of the bug is still a serious indictment.

TMM/USDT, about $1.665 million

The TMM/USDT pair on BNB Chain lost about $1.665 million in a reserve manipulation attack. Halborn’s writeup said the attacker used flash loans, burned TMM to the dead address to distort pool reserves, then traded against the fake price.

The mechanics were technical. The outcome was simple. The pool believed a false balance state, and the attacker cashed out against it.

CoW Swap, about $1.2 million

CoW Swap proved again that a protocol does not need an on-chain exploit to lose money. Cointelegraph reported that CoW DAO told users to stay off the platform after a DNS hijack, and community discussions later put user losses near $1.2 million.

That was the same front-end trap behind countless wallet scams in a bigger wrapper. Users thought they were on the official site and signed what the attacker wanted.

LML/USDT staking protocol, about $950,000

The LML/USDT staking protocol added another roughly $950,000 to the period’s losses after BlockSec-flagged activity pointed to a price design flaw around rewards and manipulated token value.

This is one of the oldest DeFi failure modes in the book. Weak price references still get abused the second real money sits on top of them.

Denaria, about $165,600

Denaria’s April 5 exploit was smaller in dollar terms but not in signal. BlockSec’s weekly roundup put the damage near $165,600 after a post-audit refactor introduced a rounding asymmetry and unsafe conversion path.

That is another ugly reminder that post-audit changes still break live systems, and that small arithmetic mistakes in DeFi can turn into immediate extraction paths.

Zerion, about $100,000

Zerion lost about $100,000 after a team member’s device was compromised in an AI-enabled social-engineering attack, according to CoinEdition. The report said the breach exposed logged-in sessions, credentials, and private keys tied to internal hot wallets.

This is another case that cuts through the industry’s favorite fiction. “Crypto hack” still often means human compromise, not contract wizardry.

Galaxy Digital, under $10,000

TokenPost reported that Galaxy Digital contained unauthorized access in an isolated development workspace with losses under $10,000. Production systems, trading infrastructure, and client accounts were not affected.

The dollar impact was minor. The signal was not. Even firms with better separation between test and production environments are still getting probed.

More incidents landed without confirmed direct losses

Several other incidents from the same period appeared in public trackers without confirmed direct losses, including HypurrFi’s domain issue, the Trust Wallet Discord vanity URL hijack, and Steakhouse Financial’s DNS attack.

They still matter because they show how relentlessly the infrastructure layer is being tested. Crypto did not lose over $605 million in 19 days because one coder missed one line. It lost that money because the whole operating stack is still loose where it counts. The same human layer that turns a data breach into a phishing pipeline can also turn internal tooling, governance flows, and registrar access into direct theft paths.

What remains unclear on April 19, 2026 is how much of these losses will ultimately be recovered, frozen, socialized, or reimbursed. What is clear already is worse: projects with hundreds of millions in reach are still operating as if attackers will avoid the easiest path to the money.