The Crypto Industry Just Had Its Worst Month of Hacks in Over a Year — And the Bigger Threat Is Still Coming
The Crypto Industry Just Had Its Worst Month of Hacks in Over a Year — And the Bigger Threat Is Still Coming
Sam DaoduFri, April 24, 2026 at 1:09 PM UTC
0
Andrey_Popov / Shutterstock.comQuick Read -
April 2026 is now the worst month for crypto hacks in over a year, with $606 million drained across 12 incidents so far. This is already 3 times more than all of the hack incidents in Q1 combined, and the month isn’t even over.
Cross-chain bridges have been the single most exploited piece of infrastructure in crypto since 2021, with over $2.8 billion drained from them—roughly 40% of every dollar stolen in Web3. April’s $292 million KelpDAO hack worked just like the Ronin Bridge hack four years earlier: attackers forged bridge approvals and walked off with the funds.
North Korea’s Lazarus Group took about 59% of every money stolen in crypto globally in 2025, and they’ve been even more aggressive in 2026. They’ve drained $285 million from Drift Protocol and $292 million from KelpDAO this April, and both were set up through months of social engineering.
A March 2026 Google Quantum AI paper showed Bitcoin’s encryption could be cracked with fewer than 500,000 physical qubits—a 20-fold drop from previous estimates—and Google has set a 2029 deadline for migrating to post-quantum cryptography. Bitcoin’s own migration plan, BIP-361, would take about seven years, meaning the network wouldn’t be fully quantum-safe until the early 2030s.
The analyst who called NVIDIA in 2010 just named his top 10 AI stocks. Get them here FREE.
Cybercriminals have been draining crypto for as long as it has been worth stealing. Mt. Gox lost 750,000 BTC back in 2014, hackers pulled $3.4 billion out of the industry in 2025, and North Korean hackers alone have walked away with $6.75 billion over the last decade.
The analyst who called NVIDIA in 2010 just named his top 10 stocks. Get them here FREE.
April is shaping up as the worst month for crypto hacks in over a year, with hackers draining $606 million from crypto protocols across 12 incidents. Two of those exploits alone made up 95% of the losses—and both were the work of North Korea's Lazarus Group.
What's more frightening is that the hackers aren't even the biggest threat anymore. Google says a quantum computer could crack Bitcoin's encryption in nine minutes, potentially by 2029. So is crypto actually going to be safe?
April Just Became Crypto's Worst Hack Month in Over a Year
pixadot.studio / Shutterstock.com
On February 21, 2025, Bybit was running what looked like a routine cold wallet transfer. Cold wallets are supposed to be the safest way to move crypto, with keys kept offline and transactions requiring multiple signatures.
However, Lazarus Group had already compromised a developer machine at Safe Wallet—Bybit's multi-sig tool. When Bybit's signers gave their approval, the interface showed them one thing while signing another. By the time anyone realised what had happened, $1.4 billion in Ethereum was gone. This is still the biggest crypto theft ever recorded.
Then in May 2025, a hacker slipped fake tokens into Cetus Protocol's liquidity pools on the Sui blockchain. He tricked the pricing system into treating them as real, and walked off with $223 million. Later in November, an attacker exploited a rounding error in Balancer's pricing, chaining dozens of tiny swaps together to drain $128 million from its pools. So by the end of 2025, roughly $3.4 billion was stolen from crypto.
Around $165 million was stolen in the entire first quarter of this year, which is still bad, but it seemed like the crypto industry was actually turning things around with better security. However, hackers have drained $606 million from crypto protocols this April, which is 3.7 times more than all of Q1 combined, and the month isn't even over. Every month since the Bybit hack has been a fraction of that total, but April has passed them all in under three weeks.
When hackers drained $292 million from KelpDAO's bridge on April 18, they used the stolen tokens as fake collateral on Aave, which set off a wave of panic withdrawals. DeFi deposits dropped by $13 billion in 48 hours as users rushed to pull their funds before someone else did. In fact, for every dollar hackers stole in April, DeFi users pulled roughly 20 more out of the system. And the attackers are still using playbooks that have been working on crypto for four years now.
Why Cross-Chain Bridges Are Still Crypto's Biggest Liability
one photo / Shutterstock.com
Bridges have been the single most exploited piece of infrastructure in crypto since 2021. Hackers have drained more than $2.8 billion from them over the past four years, which works out to roughly 40% of all money stolen in Web3. Poly Network, Wormhole, Nomad, Harmony—every major cross-chain bridge has been hit at some point, and most of them for hundreds of millions at a time.
This pattern keeps repeating because there are similar weak points across every bridge that the hackers target. Take Ronin Bridge for example—it was run by nine validators, and five of them had to sign off on any transaction. Lazarus Group ran a spear-phishing attack to compromise those five, then signed two fake withdrawals and walked off with $625 million in ETH and USDC. The hack went undetected for six days, until a user tried to pull their funds and the bridge had nothing left.
That’s why the KelpDAO's bridge attack on April 18 went down the same way. The platform’s setup allowed a single signature to approve cross-chain transactions, and once the attacker forged a convincing one, rsETH—KelpDAO's restaked ETH token—was minted and drained.
This shows that even after four years since the Ronin hack, the weak points haven't changed. Bridges hold huge pools of money, and the people verifying transactions can be tricked into signing off on fake ones, and once the keys are gone, the money is gone. As Immunefi founder Mitchell Amador put it, with code becoming harder to exploit, the main target for hackers in 2026 is people.
Advertisement
Lazarus Group Has Industrialized Crypto Theft
Who is Danny / Shutterstock.com
Most of these cyber attacks on crypto are the work of one group: North Korea's Lazarus Group. Lazarus has been draining crypto for a decade, and in 2025 alone they took about 59% of every dollar stolen in the entire industry.
U.S. and UN reports tie them directly to North Korea's military-intelligence agency, with the stolen crypto funding the country's ballistic missile and nuclear programs. They work in shifts, have a budget, and run long-term campaigns that take months to set up.
A typical Lazarus operation starts months or even years before anyone notices. For instance, a fake recruiter messages a developer at a crypto firm on LinkedIn. A "pre-employment test" plants a malicious script on the engineer's GitHub. Stolen session cookies unlock internal chat tools, and weeks later a routine transaction gets silently rewritten before it's approved.
That's how they pulled off the $308 million DMM Bitcoin heist in 2024, and it's the same basic playbook that worked on Bybit, Drift, and KelpDAO. And their campaigns this year have been their most aggressive yet. Within three weeks in April, Lazarus's TraderTraitor subunit has drained $285 million from Drift Protocol and $292 million from KelpDAO, both through elaborate social engineering jobs.
Smart contract audits don't stop state-backed hackers who spend six months learning an engineer's Slack habits before they strike. However, as dangerous as Lazarus is, there's a bigger threat coming. It's a form of computing that could crack Bitcoin's entire security model in under ten minutes—quantum computing.
Google Just Moved the Quantum Threat to the End of the Decade
Bennian / Shutterstock.com
Bitcoin's whole security model comes down to one simple math problem: it works one way but not the other. Generating a public key from a private key is fast and simple, but reversing that process is basically impossible. No classical computer can do it in less than a few billion years—but quantum computers can.
Using an algorithm called Shor's, quantum computers can reverse the process in reasonable time—and Bitcoin has no defense against that. The only catch is that quantum computers powerful enough to run Shor's at that scale don't exist yet. Most researchers thought they wouldn't show up until the mid-2030s at the earliest. However, a Google Quantum AI whitepaper from March 30, pulled that timeline forward by roughly half a decade.
The paper showed that a quantum computer could break Bitcoin's encryption with fewer than 500,000 physical qubits—down from the millions in previous estimates. That's still beyond what any quantum computer can do today, but it's within reach of what researchers think they can build by the end of the decade. Google has set a 2029 deadline for moving its own systems to post-quantum cryptography—four years before most of the industry thought the threat was real.
Google also modeled exactly how the attack would play out in practice. When you send a Bitcoin transaction, your public key gets broadcast to the network. A quantum computer watching the network could then derive your private key in about nine minutes—a minute shorter than the ten minutes Bitcoin needs to finalize the transaction.
That means an attacker could crack your key and redirect your funds before the transaction even settles. So once these quantum computers show up, a hacker could drain your Bitcoin in the time it takes to make a coffee. And Google thinks that moment is barely four years away.
Is the Crypto Industry Ready for What's Coming?
The crypto industry already has the tech to stop both the Lazarus-style attacks and quantum theft—but its biggest networks can't agree on how to deploy it. Bitcoin has had a quantum-safe address proposal (BIP-360) in its official repository since February 2026, and a follow-up proposal (BIP-361) that would phase out legacy addresses and eventually freeze any coins left in them.
However, 34% of all BTC in circulation is in quantum-vulnerable addresses, including roughly 6.7 million BTC in early wallets—some of them Satoshi Nakamoto's. So migrating that much BTC is a political minefield, and the community is already split between calling the plan "defensive" and "authoritarian."
BIP-361's co-author estimates Bitcoin would need about seven years to fully migrate—years longer than the timeline Google just laid out. Even if Bitcoin reaches consensus tomorrow, it wouldn't be fully quantum-safe until the early 2030s. By then, Google says, quantum computers will have already been cracking the encryption. Bitcoin just needs years of coordinated effort to deploy the fix—but the community hasn't even agreed whether it wants to.
The analyst who called NVIDIA in 2010 just named his top 10 AI stocks
This analyst's 2025 picks are up 106% on average. He just named his top 10 stocks to buy in 2026. Get them here FREE.
Source: “AOL Money”
