Foreign media reports indicate that the two most serious crypto thefts in April 2026 both pointed to the North Korean hacking group Lazarus. The two attacks resulted in a combined loss of approximately $577 million, accounting for the majority of all crypto thefts so far this year up to April.

This commentary argues that the main threat facing DeFi today is no longer just smart contract vulnerabilities. The greater risks lie in long-term social engineering infiltration, control of developer devices, and the gradual erosion of multi-signature permissions.

Drift was emptied within 12 minutes.

On April 1st, approximately $285 million in assets were transferred from the main vault of Drift Protocol, a perpetual contract protocol within the Solana ecosystem. The article states that the attackers completed the critical operations within 12 minutes, transferring out large amounts of JLP tokens and wrapping Ethereum, virtually emptying the protocol's vault.

Subsequent disclosures by Drift revealed that preparations for the attack lasted approximately six months. Individuals posing as quantitative trading firms contacted protocol contributors at offline industry conferences, subsequently establishing contact through channels such as Telegram, and depositing over $1 million into the protocol as partners to gradually gain their trust.

Social worker infiltration combined with the failure of multiple signatures

The article states that the attackers did not rely on traditional contract vulnerabilities, but instead compromised devices through two types of malicious payloads. One type was a code repository containing malicious code, which could trigger silent execution when opened by developers in VSCode or Cursor; the other type was a fake wallet test version distributed through Apple's TestFlight.

After gaining access to the relevant devices, the attackers further gained control of the critical wallet. On March 23, they used Solana's durable nonce mechanism to pre-sign transactions and obtained authorization from two of the five signers on the Drift security committee. By April 1, the attackers had seized administrative control by executing the pre-signed transaction during a routine insurance fund withdrawal operation.

Subsequently, the attackers introduced a synthetic asset called CVT, manipulated its price on decentralized exchanges through wash trading, and raised the protocol's USDC withdrawal limit to extreme levels. They then used CVT as collateral to withdraw assets from the vault. The article states that this process demonstrates that once multi-signature authentication fails, the protocol's defenses can quickly crumble.

KelpDAO bridging configuration was also utilized.

Seventeen days later, KelpDAO lost approximately $292 million. The article states that attackers exploited a single validator configuration in its LayerZero bridge to transfer the funds. These two incidents combined accounted for about 95% of the total crypto thefts in April, making it one of the worst crypto security months on record.

The article cites data from TRM Labs, stating that as of April, the amount stolen from cryptocurrencies in 2026 had exceeded $1 billion, with approximately 76% originating from these two attacks. The article also mentions that Chainalysis statistics show that the total amount stolen in 2025 was $2.06 billion, primarily due to the Bybit attack.

The old pattern is still repeating itself.

The article argues that while these incidents differ in details, they share a highly similar structure: first, contact with people; then, control of devices; subsequently, acquisition of multi-signature permissions; and finally, disguised malicious transactions under the guise of normal operations. The $1.5 billion theft from Bybit in February 2025 and the Ronin Bridge attack in 2022 both exhibit similar characteristics.

The core issue isn't just the code, but also the signers, devices, and processes. For DeFi protocols, the attack surface has expanded from on-chain contracts to offline contacts, collaboration software, test distribution channels, and cross-chain infrastructure. Therefore, the article argues that protocol security models primarily designed around contract auditing will struggle to cover such months-long penetration attacks.