Key Highlights
- A dozen cryptocurrency platforms have fallen victim to cyberattacks following the $280 million Drift Protocol breach on April 1, 2026.
- Rhea Finance suffered a $7.6 million loss when hackers exploited its Margin Trading functionality through fraudulent token contracts.
- The Grinex exchange, based in Russia, experienced an approximately $15 million USDT drain, with funds quickly converted to TRX and ETH.
- Several incidents show potential involvement from North Korean-backed threat actors employing AI technology and social engineering tactics for credential theft.
- DefiLlama records indicate that 34 DeFi platforms lost a combined $168.6 million during the first quarter of 2026.
A minimum of twelve decentralized finance protocols and cryptocurrency enterprises have experienced security breaches within a span of approximately two weeks, commencing after the $280 million Drift Protocol compromise on April 1, 2026.
THIS IS INSANE.🤯
North Korea stole $285 million in 12 minutes.
Drift is the biggest trading platform on Solana.
The code was fine. Two audits found nothing wrong. North Korea didn’t touch the code. They went after the people.
They made a fake token called CarbonVote. Put in… pic.twitter.com/YKenk4G8pw
— Ash Crypto (@AshCrypto) April 5, 2026
The Drift Protocol incident represents one of the most significant cryptocurrency security breaches recorded this year. The attack originated from an extended social engineering operation believed to involve actors affiliated with North Korea.
Following that major breach, additional platforms including CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, Rhea Finance, and the Grinex exchange have all experienced security compromises.
Financial damages from these incidents range considerably, spanning from several hundred thousand dollars to amounts reaching tens of millions.
Major Losses Strike Rhea Finance and Grinex
The DeFi platform Rhea Finance experienced a $7.6 million security breach on Thursday. Malicious actors leveraged a weakness in the platform’s Margin Trading functionality to execute a pool manipulation assault targeting the Rhea Lend smart contract.
According to blockchain security company CertiK, the perpetrators deployed fraudulent token contracts and injected liquidity into newly created pools, apparently deceiving both the oracle system and validation mechanisms.
Rhea Finance has publicly acknowledged the security breach and maintains ongoing dialogue with affected users regarding the situation.
During the same timeframe, the Kyrgyzstan-registered Grinex exchange suspended all withdrawal and trading operations following what the platform described as a comprehensive cyberattack.
Grinex’s initial assessment placed losses at over 1 billion rubles, equivalent to approximately $13.1 million. However, blockchain intelligence firm Elliptic calculated a higher estimate, placing the theft at around $15 million in USDT.
The compromised USDT traveled through both Tron and Ethereum blockchain networks prior to conversion into TRX and ETH. According to Elliptic, this conversion strategy appears designed to circumvent potential freezing actions by Tether, which maintains the ability to blacklist USDT associated with criminal activities.
Grinex attributed the attack to “hostile states” possessing capabilities beyond typical cybercriminal resources. The platform is commonly regarded as the continuation of the previously sanctioned Garantex exchange, which faced closure by U.S. regulatory authorities last year for facilitating hundreds of millions in prohibited transactions.
Cumulative Impact of Multiple Breaches
Additional April incidents include Silo Finance experiencing a $392,000 loss on April 3 stemming from incorrect oracle configuration, Aethir losing $423,000 through an access control vulnerability on April 9, and bridge aggregator Dango suffering a $410,000 loss from smart contract flaws on April 13.
The Binance Smart Chain TMM/USDT liquidity pool also experienced a security breach in early April, resulting in approximately $1.67 million in losses through a reserve manipulation technique.
Threat groups with North Korean connections have been implicated in several of these security incidents, utilizing artificial intelligence tools alongside social engineering methods to infiltrate cryptocurrency organizations.
According to data compiled by DefiLlama, malicious entities successfully extracted more than $168.6 million from 34 DeFi protocols throughout the initial quarter of 2026.
Grinex has subsequently been recognized as a major platform for ruble-to-cryptocurrency exchanges and transactions involving the ruble-backed stablecoin A7A5, which Elliptic calculates has facilitated over $100 billion in total transaction volume.
