A wave of cyberattacks has targeted at least 12 decentralized finance protocols and crypto businesses in just over two weeks, starting with the $280 million Drift Protocol exploit on April 1. Recent incidents include multimillion-dollar losses at Rhea Finance and Grinex exchange, amid growing concerns that advanced AI models could empower future attackers. North Korean-affiliated groups have been linked to several sophisticated social engineering attacks in this period.
The string of exploits began with a $280 million loss at Drift Protocol on April 1, suspected to involve North Korean-affiliated actors. Since then, attacks have hit CoW Swap, Hyperbridge, Bybit, and several other protocols.
Rhea Finance reported a $7.6 million exploit on Thursday via a vulnerability in its Margin Trading feature. The attacker leveraged fake token contracts to manipulate pools, according to security firm CertiK.
Also on Thursday, the Russia-linked Grinex exchange suspended operations after a $13.7 million hack, blaming “unfriendly states” for the incursion. This followed other significant losses across the sector in April.
Binance Smart Chain’s TMM/USDT pool lost $1.67 million to a reserve manipulation attack in early April. Bridge aggregator Dango lost $410,000 from a smart contract bug on April 13.
Silo Finance lost $392,000 from a misconfigured oracle on April 3. Aethir lost $423,000 in an access control exploit on April 9. Malicious actors stole over $168.6 million from 34 DeFi protocols in Q1 2026, per DefiLlama data.
The Drift Protocol and Zerion wallet exploits exemplify DPRK groups using AI and social engineering. These attacks come amid concerns that models like Anthropic’s Claude Mythos could make future cyberattacks easier.
