Key Takeaways
Peckshield tracked 8 bridge exploits by means of mid-Could 2026, with $328.6M drained cumulatively from cross-chain protocols.KelpDAO’s $300M Layerzero breach and Drift’s $200M+ assault made April 2026 the worst-hacked month on report, per Defillama.Whole 2026 hack losses surpassed $750M by means of mid-April; Could’s Verus bridge drain provides $11.5M extra.
Crypto’s Worst 12 months for Cross-Chain Hacks
Blockchain safety and knowledge analytics agency Peckshield launched a mid-Could tally of eight bridge-related exploits that collectively drained $328.6 million from cross-chain protocols up to now this yr. The determine provides to what has grow to be the worst interval on report for decentralized finance ( DeFi) whereas concurrently exposing a systemic vulnerability that the trade has but to resolve absolutely.
Cross-chain bridges work by locking tokens on one blockchain and minting equal belongings on one other, creating high-value assault surfaces the place exploiters want solely compromise the bridge’s verification mechanism to realize entry to pooled liquidity. The structural threat grew to become simple in April 2026, as crypto’s most-hacked month on report, with 30 separate incidents, a tempo of practically one assault per day.
Two of the biggest assaults got here in speedy succession that month. KelpDAO’s Layerzero V2 rsETH route was exploited for about $300 million on April 18, with an attacker extracting 116,500 rsETH from Ethereum’s OFT adapter with out burning tokens on the supply chain. A evaluation by Chainalysis discovered that Layerzero had set a low 1-1 RPC quorum default, that means a single poisoned node may authorize fraudulent cross-chain messages. KelpDAO subsequently migrated to Chainlink’s Cross-Chain Token customary, publicly blaming Layerzero for the infrastructure failure.
Days later, Drift Protocol suffered a $200 million-plus exploit on its Solana-based infrastructure. A CertiK analyst famous that the incidents mirrored a high-stakes shift in cross-chain cybercrime technique, with attackers rising extra refined in how they establish and exploit bridge verification weaknesses.
Dying by a Thousand Cuts
Smaller incidents have poured within the months earlier than and even since, with IoTeX’s bridge being hit for about $2 million in February by means of a non-public key exploit. Subsequently, TAC Protocol misplaced $2.8 million in early Could in what was later labeled as a white hat incident after the hacker claimed a ten% bounty.
Transit Finance, a cross-chain aggregation protocol, was drained of $1.88 million on Could 13 and most not too long ago, the Verus-Ethereum bridge misplaced roughly $11.5 million, with the attacker’s pockets traced to a Twister Money seed.
Peckshield knowledge had already proven whole hack losses reaching $112.5 million within the first two months of 2026 alone earlier than April’s surge pushed cumulative losses past $750 million by means of mid-April. With Could’s incidents including to that determine, 2026 is on track to eclipse earlier information for DeFi losses.
