At least 12 DeFi protocols and crypto firms have been targeted in the two weeks following the $280 million Drift Protocol exploit on April 1.
Victims of attacks since the start of the month include CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, and most recently Rhea Finance and the Grinex exchange.
Drift Protocol suffered one of the largest exploits of the year, losing around $280 million in a prolonged social engineering attack believed to involve North Korea-linked actors.
The wave of incidents has also fueled concerns that increasingly advanced AI systems—such as Anthropic’s Claude Mythos and similar models—could further lower the barrier for cyberattacks in the future.
Rhea Finance exploited for $7.6 million
Rhea Finance said on Thursday that an attacker exploited a vulnerability in its margin trading feature, carrying out a coordinated pool manipulation attack that impacted its Rhea Lend smart contract.
Roughly $7.6 million was siphoned off, according to blockchain security firm CertiK.
“The attacker created fake token contracts and seeded liquidity into newly created pools, likely deceiving the oracle and validation systems,” the firm said.
Meanwhile, the Russia-linked Grinex exchange halted operations after a $13.7 million hack on Thursday, attributing the breach to “unfriendly states.”
Another incident this month targeted the Binance Smart Chain TMM/USDT liquidity pool, where a reserve manipulation attack led to losses of about $1.67 million in early April, according to R3ACH Network analyst Jussy.
Just days later, bridge aggregator Dango lost $410,000 due to a smart contract bug on April 13.
Elsewhere, lending protocol Silo Finance suffered a $392,000 loss on April 3 from a misconfigured oracle exploit, while decentralized GPU cloud platform Aethir lost $423,000 in an access control breach on April 9.
DPRK ramps up AI-driven social engineering attacks
The Drift Protocol and Zerion wallet exploits highlight how groups linked to North Korea are increasingly using AI and social engineering tactics to infiltrate crypto firms and steal credentials and funds.
In total, attackers stole more than $168.6 million from 34 DeFi protocols in the first quarter of 2026, according to DefiLlama data.
