DeFi Under Siege: 12+ Crypto Platforms Breached Following Drift Protocol’s $280M Loss

Key Highlights

• A minimum of 12 cryptocurrency platforms have suffered security breaches following the Drift Protocol incident that resulted in $280 million in losses on April 1, 2026.
• Attackers exploited Rhea Finance’s Margin Trading functionality through fraudulent token contracts, resulting in $7.6 million in stolen assets.
• The Grinex trading platform, which has connections to Russia, experienced an outflow of approximately $15 million in USDT, subsequently converted into TRX and ETH.
• Several incidents show characteristics consistent with North Korean-affiliated threat actors employing artificial intelligence and credential theft tactics.
• DefiLlama reports indicate that 34 decentralized finance platforms lost more than $168.6 million during the first quarter of 2026.

The cryptocurrency ecosystem has witnessed a sustained assault on its security infrastructure, with no fewer than 12 decentralized finance platforms and digital asset businesses falling victim to malicious exploits within a two-week period after the April 1, 2026 Drift Protocol breach worth $280 million.

The Drift Protocol incident ranks among 2026’s most significant cryptocurrency security breaches. Investigators believe the attack stemmed from an extended social engineering operation with potential involvement from actors associated with North Korea.

Following this major incident, numerous platforms including CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, Rhea Finance, and the Grinex trading platform have all experienced security compromises.

Financial damages across these incidents range dramatically, spanning from several hundred thousand dollars to losses exceeding tens of millions.

Major Losses at Rhea Finance and Grinex Exchange

On Thursday, the Rhea Finance platform fell victim to an exploit resulting in $7.6 million in losses. The perpetrators leveraged a security flaw within the platform’s Margin Trading infrastructure to execute a sophisticated pool manipulation strategy targeting the Rhea Lend smart contract.

Cybersecurity firm CertiK’s analysis revealed that attackers deployed fraudulent token contracts and established liquidity in newly created pools, apparently deceiving both the oracle system and validation mechanisms.

Rhea Finance has publicly acknowledged the security incident and maintains ongoing communication with affected users regarding the breach.

During the same timeframe, Grinex, an exchange registered in Kyrgyzstan, suspended both withdrawal operations and trading activities following what the platform characterized as a significant cyberattack.

Grinex’s initial assessment placed losses at over 1 billion rubles, equivalent to roughly $13.1 million. However, blockchain intelligence provider Elliptic calculated the actual figure closer to $15 million in USDT.

The compromised USDT tokens were transferred across Tron and Ethereum blockchain networks before conversion into TRX and ETH. According to Elliptic’s analysis, this conversion strategy likely aimed to circumvent Tether’s ability to freeze USDT assets connected to unauthorized activities.

Grinex attributed the attack to “hostile states” possessing capabilities beyond those of typical cybercriminals. Industry observers widely recognize the exchange as effectively continuing operations of Garantex, a sanctioned platform that U.S. regulators closed following discoveries of hundreds of millions in illicit transaction processing.

Accumulating Damage from Multiple Smaller Breaches

Additional April incidents include Silo Finance’s $392,000 loss on April 3 due to oracle misconfiguration issues, Aethir’s $423,000 breach on April 9 through an access control vulnerability, and bridge aggregator Dango’s $410,000 loss from a smart contract defect on April 13.

The Binance Smart Chain TMM/USDT liquidity pool also experienced a security breach in early April, resulting in approximately $1.67 million in losses through a reserve manipulation technique.

Threat intelligence suggests North Korean-affiliated organizations have orchestrated portions of these attacks, deploying artificial intelligence capabilities alongside social engineering methodologies to compromise credentials within cryptocurrency organizations.

Data compiled by DefiLlama indicates that malicious actors extracted more than $168.6 million from 34 decentralized finance protocols throughout 2026’s first quarter.

Subsequent investigations have identified Grinex as a significant platform facilitating ruble-to-cryptocurrency exchanges and transactions involving the ruble-pegged stablecoin A7A5, which Elliptic estimates has facilitated over $100 billion in total transaction volume.

The post DeFi Under Siege: 12+ Crypto Platforms Breached Following Drift Protocol’s $280M Loss appeared first on Blockonomi.