Crypto Hacks Surge: Over a Dozen DeFi Protocols Attacked Since $280M Drift Protocol Exploit

TLDR

• At least 12 crypto entities have been attacked since the $280 million Drift Protocol hack on April 1, 2026.
• Rhea Finance lost $7.6 million after attackers manipulated its Margin Trading feature using fake token contracts.
• Russia-linked Grinex exchange was drained of roughly $15 million in USDT, which was converted to TRX and ETH to avoid freezing.
• North Korea-linked groups are suspected in some attacks, using AI and social engineering to steal credentials.
• Over $168.6 million was stolen from 34 DeFi protocols in Q1 2026, according to DefiLlama.

At least 12 DeFi protocols and crypto businesses have been hit by hackers in just over two weeks, following the $280 million Drift Protocol exploit on April 1, 2026.

The Drift Protocol attack is one of the largest crypto exploits this year. It involved a long-running social engineering campaign suspected to include North Korean-affiliated actors.

Since then, attacks have hit CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, Rhea Finance, and the Grinex exchange.

The losses vary widely, from hundreds of thousands to tens of millions of dollars.

Rhea Finance and Grinex Hit Hardest

DeFi protocol Rhea Finance was exploited for $7.6 million on Thursday. Attackers used a vulnerability in its Margin Trading feature to carry out a pool manipulation attack on the Rhea Lend smart contract.

Blockchain security firm CertiK said the attacker created fake token contracts and added liquidity to fresh pools, likely tricking the oracle and validation layer.

Rhea Finance confirmed the exploit publicly and is communicating with users about the incident.

On the same day, the Kyrgyzstan-registered Grinex exchange halted withdrawals and trading after what it called a large-scale cyberattack.

Grinex initially reported over 1 billion rubles, roughly $13.1 million, stolen. Blockchain analytics firm Elliptic put the figure higher, at approximately $15 million in USDT.

The stolen USDT was moved through Tron and Ethereum networks before being swapped into TRX and ETH. Elliptic said this was likely done to avoid being frozen by Tether, which can blacklist USDT linked to illegal activity.

Grinex blamed “hostile states” with resources unavailable to ordinary attackers. The exchange is widely seen as a successor to the sanctioned Garantex exchange, which was shut down by U.S. authorities last year for processing hundreds of millions in illicit funds.

Smaller Hacks Add Up

Other attacks in April include Silo Finance losing $392,000 on April 3 from a misconfigured oracle, Aethir losing $423,000 in an access control exploit on April 9, and bridge aggregator Dango losing $410,000 from a smart contract bug on April 13.

The Binance Smart Chain TMM/USDT liquidity pool was also hit in early April, losing around $1.67 million in a reserve manipulation attack.

North Korea-linked groups have been connected to some of these attacks, using AI tools and social engineering to get inside crypto companies.

Malicious actors stole over $168.6 million from 34 DeFi protocols in the first quarter of 2026, according to DefiLlama data.

Grinex has since been identified as a key hub for ruble-to-crypto trading and the ruble-backed stablecoin A7A5, which Elliptic estimates has processed over $100 billion in transactions.

The post Crypto Hacks Surge: Over a Dozen DeFi Protocols Attacked Since $280M Drift Protocol Exploit appeared first on CoinCentral.