Crypto Hack Losses Top $630M in April 2026, Highest Monthly Total Since February 2025

Q: Where the losses came from

Top-five April incidents, per PeckShield's roundup: rsETH bridge — $108M: April 25 exploit on a Layer-2 bridge serving the rsETH liquid restaking token. Smart-contract bug allowed unauthorized minting. Most of the funds remain at-risk; recovery efforts are underway with Ethereum community participation. Compound v3 governance attack — $89M: April 12 exploit through a governance proposal that drained collateral pools. Recovered partially through quick-response treasury action. Cetus DEX (Sui chain) — $77M: April 8 incident; root cause was a price-oracle manipulation. Sui-based DEX volume took ~3 weeks to recover. Pump.fun governance multisig — $54M: April 19 incident on a previously-overlooked governance multisig. Highlights the migration of attack surfaces to admin/governance keys rather than smart-contract bugs. Misc smaller exploits: Combined for ~$300M across DeFi protocols, exchange hot wallets, and individual bridge incidents.

Q: Why losses are accelerating despite better tools

Three structural reasons: Attack surface expansion. The number of deployed smart contracts and bridges has grown faster than auditors can keep up with. New L2s, new chains, new bridges — each is a target. Audit firms are at capacity. Governance becomes the new attack vector. As contract code gets more battle-tested, attackers have shifted to governance-token attacks: accumulate enough voting power to pass a malicious proposal. The Compound and Pump.fun April incidents both fall in this pattern. AI-assisted exploit development. Increasingly, attackers use AI tools (custom Claude/GPT setups, specialized LLM-augmented decompilers) to find vulnerabilities. The asymmetry favors attackers — they can scan thousands of contracts; defenders need to harden each one individually.

By Jaspal Singh April 30, 2026 Updated: April 30, 2026

Crypto hack and exploit losses topped $630 million in April 2026, the highest monthly total since February 2025, according to research from on-chain analytics firms PeckShield and CertiK. The driver: a sharp uptick in cross-chain bridge exploits and a single very large incident — the rsETH bridge attack on April 25 that drained 30,000 ETH (approximately $108M at the time).

The April figure represents a 75% jump from March's $360M and brings 2026 year-to-date losses to roughly $1.85 billion, putting the year on pace to exceed 2024's $2.7 billion total despite better security tooling and audit infrastructure. The question security teams are asking is why losses are accelerating when defensive capability is also increasing.

Where the losses came from

Top-five April incidents, per PeckShield's roundup:

rsETH bridge — $108M: April 25 exploit on a Layer-2 bridge serving the rsETH liquid restaking token. Smart-contract bug allowed unauthorized minting. Most of the funds remain at-risk; recovery efforts are underway with Ethereum community participation.

Compound v3 governance attack — $89M: April 12 exploit through a governance proposal that drained collateral pools. Recovered partially through quick-response treasury action.

Cetus DEX (Sui chain) — $77M: April 8 incident; root cause was a price-oracle manipulation. Sui-based DEX volume took ~3 weeks to recover.

Pump.fun governance multisig — $54M: April 19 incident on a previously-overlooked governance multisig. Highlights the migration of attack surfaces to admin/governance keys rather than smart-contract bugs.

Misc smaller exploits: Combined for ~$300M across DeFi protocols, exchange hot wallets, and individual bridge incidents.

Why losses are accelerating despite better tools

Three structural reasons:

Attack surface expansion. The number of deployed smart contracts and bridges has grown faster than auditors can keep up with. New L2s, new chains, new bridges — each is a target. Audit firms are at capacity.

Governance becomes the new attack vector. As contract code gets more battle-tested, attackers have shifted to governance-token attacks: accumulate enough voting power to pass a malicious proposal. The Compound and Pump.fun April incidents both fall in this pattern.

AI-assisted exploit development. Increasingly, attackers use AI tools (custom Claude/GPT setups, specialized LLM-augmented decompilers) to find vulnerabilities. The asymmetry favors attackers — they can scan thousands of contracts; defenders need to harden each one individually.

Industry response

The major exchanges (Binance, Coinbase, OKX) have all increased their security audit budgets in Q1 2026. CertiK and PeckShield are hiring aggressively. Several major insurance protocols (Nexus Mutual, InsurAce) are seeing premium hikes of 15-30% as the loss frequency rises.

The longer-term response is shifting toward formal verification — mathematically proving smart contract correctness rather than just auditing for known vulnerabilities. Formal verification adoption among major DeFi protocols rose from 12% in early 2025 to ~28% in Q1 2026. The trend is positive but the adoption rate is slower than the attack rate.

My Take

The 2026 crypto-security story is that the industry is winning on simple smart-contract bugs and losing on governance attacks, AI-assisted exploits, and bridge complexity. The first category was the dominant attack vector through 2022-2024; the latter three are 2025-2026. Better audits don't help against a malicious governance proposal that's technically valid. Better audits don't help against an AI-found logic error that no human reviewer would catch in a reasonable timeframe. Better audits don't help when the bridge architecture is inherently complex and vulnerable. The honest read is that crypto-security losses will keep rising in absolute terms even as the per-protocol security level improves — because TVL keeps growing, attack surface keeps growing, and attacker capability is growing fastest. The industry needs structural changes (governance attack-resistance, formal verification, simpler bridge designs) more than incremental audit work. Those changes are coming, slowly. Meanwhile, expect $2.5-3B in 2026 losses.

FAQ

Are these losses recoverable? Some are. Major incidents typically recover 30-50% via treasury action, white-hat negotiation, or post-incident funding. Net loss to ecosystem is typically half the headline number.

Should I avoid bridges entirely? Bridge risk is real but compensated by the utility of cross-chain operation. Use audited bridges (Wormhole, LayerZero, Across), avoid unaudited ones, don't store significant value mid-bridge.

Do exchanges cover hack losses? Generally only if the exchange's own infrastructure is compromised. DeFi protocol hacks are user-borne unless the protocol has insurance or a recovery treasury.

The Bottom Line

Crypto hacks topped $630M in April, highest since Feb 2025. Driven by bridge exploits, governance attacks, and AI-assisted vulnerability discovery. 2026 on pace for $2.5-3B in losses. Better tools aren't keeping pace with attack surface expansion.