Aave maintains a $50 million insurance fund to absorb bad debt. However, this can't cover such a huge shortfall.
Aave faces approximately $200 million in bad debt after Kelp DAO bridge exploit
The Aave defi lending protocol is grappling with anywhere from $177 million to $236 million in bad debt after the Kelp DAO bridge exploiter used Aave to cash out their stolen rsETH. Rather than selling the tokens, the attacker used the rsETH as collateral to borrow wETH, leaving Aave stuck with the huge quantity of unbacked rsETH. Although Kelp and Aave both froze affected markets, the attacker had already cashed out. The attacker borrowed essentially all of the wETH available on the platform, leaving those who'd loaned those tokens unable to withdraw.
RaveDAO accused of pump-and-dump as token crashes 98%
Binance and BitGet have confirmed they are investigating allegations that RaveDAO orchestrate a pump-and-dump to push its RAVE token price from around $0.25 to more than $27 over the past few weeks, before the token price plummeted back down to $0.66. Concerns were first raised by blockchain investigator zachbxt, who called on the exchanges to investigate. He later wrote, "While it's good the exchanges responded, I find it unlikely this activity wasn't spotted internally before I raised it publicly."
RaveDAO describes itself as a "community-driven global rave powerhouse", and sells NFT tickets to rave events.
RaveDAO has denied any responsibility for the recent price movements, but did not address allegations of enormous token concentration with the project's team or large transfers to exchanges around the time of the price jump.
Kelp DAO bridge hacked for $292 million
An attacker stole 116,500 rsETH (restaked ether) from a blockchain bridge run by Kelp DAO. Based on prices at the time of the theft, the stolen tokens would be worth around $292 million — however, the attacker is likely to face challenges selling a quantity of tokens that amounts to 18% of rsETH's circulating supply.
When tokens are bridged from one chain to another, the tokens on the original chain are locked in the bridge smart contract while the token is used on the other chain, preventing its owner from double-spending the asset. With 116,500 locked rsETH now stolen, those using the token on other blockchains are now holding possibly unbacked tokens.
The rush for holders to offload their dubiously backed tokens is likely to worsen contagion throughout defi protocols, where those platforms could be left holding the bag. Some platforms, including Aave, Lido Finance, and Ethena, have paused markets involving rsETH to try to protect themselves.
This hack has set the new record for the largest defi hack in 2026, following the $285 million Drift exploit on April 1.
Rhea Finance exploited for $18.4 million, some recovered
Rhea Finance's lending product was exploited for around $18.4 million after an attacker took advantage of a bug in the platform's slippage protection feature. The stolen assets affected both platform and user funds.
Some of the stolen tokens were returned by the attacker to the protocol, and around $4.35 million USDT were frozen by its issuer, Tether. Altogether, around $10 million was recovered, leaving $8.4 million outstanding.
- RHEA Finance Protocol Incident, Rhea Finance
Russian Grinex exchange halts trading after $13 million+ exploit
The Russian cryptocurrency exchange Grinex has halted trading after disclosing a hack of more than 1 billion rubles (more than $13 million). The exchange has claimed on Telegram that the hack was perpetrated by "foreign special services" they allege were trying to harm Russian financial independence.
According to blockchain intelligence firms TRM Labs and Chainalysis, Grinex is a rebranded version of the Garantex cryptocurrency exchange that was shut down and sanctioned in March 2025. Two of its operators were subsequently criminally charged in the US.
CoW Swap users lose estimated $1.2 million after DNS hijacking
Users who visited the website for the CoW Swap DEX aggregator on April 14 were unknowingly redirected to a malicious website that drained their crypto wallets. An attacker was able to socially engineer CoW Swap's domain registrar, allowing them to redirect visitors to a malicious site for a period of several hours. CoW Swap has estimated that people who used the service during that time lost around $1.2 million.
- "POST MORTEM: Cow.fi Domain Hijack", CoW DAO
Users lose $9.5 million to fake Ledger wallet app on the Apple App Store
After a fake version of the Ledger cryptocurrency wallet app made it onto the normally highly curated Apple App store, customers lost $9.5 million dollars to the malicious product. Believing it was a genuine Ledger product, people entered their seed phrases into the app, then discovered their wallets were immediately drained.
One victim, a musician who goes by G. Love, wrote: "I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant." According to him, he lost 5.9 BTC (~$445,000).
Crypto sleuth zachxbt traced some of the stolen funds through Kucoin, a Chinese cryptocurrency exchange that was recently fined and forced to exit US markets over licensing and anti-money laundering failures. "The three largest victims lost seven figures each," he wrote.
Apple removed the malicious app from their App Store on April 13, six days after it had been added.
Hyperbridge exploited two weeks after April Fools' hack joke
On April Fools' Day, the Hyperbridge blockchain bridge project posted a tweet claiming that the North Korean Lazarus hacking group had drained $37 million from the project. A linked blog post contained a Rickroll GIF and an explanation of "Why Hyperbridge can't be hacked".
The following day, a Hyperbridge developer posted a screenshot of a blockchain transaction, writing "Lmao the uniBTC exploiter is testing Hyperbridge. I hope you have a quantum computer bro". Another commenter replied, "Rule #1 dont actively provoke attackers".
About two weeks later, an attacker was able to forge a transaction to change the admin rights for the Polkadot/Ethereum bridge contract, allowing them to mint 1 billion DOT tokens. They were able to cash out about $2,500,000 due to limited liquidity.
The April Fools' posts have since been deleted.
Bitcoin Depot hacked for $3.67 million
Bitcoin ATM operator Bitcoin Depot has disclosed a March 23 hack in which attackers stole 50.903 BTC (~$3.67 million) from company wallets. According to the company's disclosure with the SEC, the exploiters gained access to the company's IT systems and wallet credentials, allowing them to steal the assets.
Bitcoin Depot is the largest operator of crypto ATMs globally and in the United States, with approximately 8,700 kiosks in the US and 9,200 worldwide.
- SEC Form 8-K filed by Bitcoin Depot Inc. on April 6, 2026
- Top Crypto ATM Operators, Coin ATM Radar
Drift exploited for $285 million
The Solana-based Drift defi perpetual futures exchange was exploited for $285 million. The project alerted the community on social media, writing: "Drift Protocol is experiencing an active attack. ... This is not an April Fools joke."
The project later described the exploit as "a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." Once the attacker had access to admin capabilities, they quickly eliminated risk management limits on the protocol and drained huge quantities of tokens, which they swapped to USDC and then ETH. The attack was attributed to extremely sophisticated social engineering, likely by North Korean hackers.
Some have criticized USDC's issuer, Circle, for not freezing the stolen funds during the six hours they were held in USDC. Unlike ETH, USDC is controlled by a centralized company that can, and regularly does, freeze assets determined to have been stolen or connected to illicit activity.
The theft is among the largest in defi history.