News linked to this event type.
Regarding the KelpDAO hack, Aave tweeted that the rsETH markets on Aave V3 and Aave V4 have been frozen. Aave stated that its contracts were not exploited and that this incident is related to the exploit of Kelp DAO’s rsETH cross-chain bridge. The freeze will prevent new rsETH deposits and rsETH-backed lending. Aave is currently reviewing lending activity involving rsETH on the platform following the exploit and has indicated that, should the protocol accumulate bad debt as a result, it will explore options to cover the deficit. Earlier reports indicated that Kelp DAO’s cross-chain bridge was hacked, resulting in the theft of approximately $292 million worth of rsETH, exposing Aave V3 to bad debt risk.
According to CoinDesk, Kelp DAO’s LayerZero-based cross-chain bridge was attacked, with the attacker withdrawing 116,500 rsETH—worth approximately $292 million at current prices, or roughly 18% of its circulating supply. This incident has become the largest DeFi attack of 2026 to date. In response, Aave, SparkLend, and Fluid have frozen rsETH-related markets, and Lido Finance has suspended new deposits into its earnETH product. Kelp DAO stated it is jointly investigating the incident with LayerZero, auditing firms, and external security experts.
Odaily News On-chain data indicates that Kelp DAO's rsETH bridge protocol based on LayerZero is suspected of being exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately $292 million.
According to a post by Vitalik Buterin (@VitalikButerin) on April 18, 2026, the DNS registrar for eth.limo was attacked. Users are advised to temporarily avoid accessing vitalik.eth.limo or any other eth.limo-related pages until official confirmation of service restoration is provided.
According to an official disclosure by RHEA Finance, on April 16, 2026, the NEAR ecosystem lending protocol RHEA Finance (formerly Burrow Finance) suffered a hack targeting its margin trading functionality, resulting in losses of approximately $18.4 million. The attacker began preparations several days prior to the incident by creating multiple fake token pools on Ref Finance and injecting liquidity into them, thereby constructing malicious swap routes. Exploiting a vulnerability in the protocol’s slippage protection mechanism—which failed to account for scenarios where intermediate tokens were reused during multi-step swaps—the attacker caused borrowed debt tokens to be routed into fake token pools under their control. This triggered widespread forced liquidations, ultimately draining the protocol’s reserve pool. During the attack, the attacker deleted a total of 55 intermediary accounts to obscure their trail. As of now, the attacker has repaid approximately 3.359 million USDC and 1.564 million NEAR to the RHEA lending contract. Additionally, 4.34 million USDT have been frozen—3.291 million frozen by Tether and 1.053 million frozen by NEAR Intents. The protocol’s smart contracts have been paused, and the team is collaborating with centralized exchanges to jointly trace the funds; relevant law enforcement agencies have also been notified.
Odaily News Rhea Finance has released a post-mortem report on the attack, confirming that the actual loss from the vulnerability is approximately $18.4 million, a significant increase from the initial estimate of around $7.6 million.The attacker constructed complex transaction paths, manipulated liquidity using fake token pools, funneled borrowed assets into pools under their control, and returned only minimal assets. This caused a large number of margin positions to rapidly become undercollateralized and triggered liquidations, ultimately depleting the protocol's reserve funds.Approximately $11.2 million in funds have been recovered or frozen so far. This includes some USDC and NEAR assets returned by the attacker, as well as about $4.34 million in USDT that was frozen (with assistance from Tether).
Odaily News Telegram founder Pavel Durov posted on X, stating that the "age verification app" proposed by the EU has design flaws and was compromised in just a few minutes. The reason lies in the fundamental security issues of its architecture that trusts user devices. The solution is positioned as "privacy-friendly," but it can actually be easily cracked. Its development path is summarized as follows: first, launch a system that appears to protect privacy but has vulnerabilities; after being compromised, use "fixes" as a reason to weaken privacy protection, eventually evolving into a surveillance tool in the name of privacy. Such "accidental vulnerability incidents" may be used to expand regulation, and the public is urged to stay vigilant.
According to threat intelligence released by the SlowMist security team (@SlowMist_Team), its threat intelligence system MistEye has received community reports identifying an active social engineering attack targeting cryptocurrency users. Attackers contact victims under the pretext of project collaboration and lure them into using a counterfeit “Harmony Voice” application (domain: harmony-voice[.]app) for so-called real-time translation—when in fact it is malicious software. SlowMist has already synchronized the relevant threat intelligence (IOCs) to its enterprise customers.
According to an official incident post-mortem report on the CoW Swap attack, its domain cow.fi was compromised via a supply-chain attack on April 14, 2026. Attackers exploited social engineering tactics to infiltrate the .fi domain registration process and hijack DNS resolution, causing users attempting to access swap.cow.fi to be redirected to a phishing site for several hours. During this period, attackers deployed a counterfeit trading interface and attempted to trick users into connecting their wallets and signing malicious transactions. The report states that this incident did not impact CoW Protocol’s on-chain smart contracts, backend systems, or user fund security; core infrastructure—including services hosted on AWS and Vercel—remained uncompromised. The attack occurred exclusively during the domain registration and transfer process: attackers gained control by forging identity documents and exploiting vulnerabilities in the registration workflow, briefly modifying the domain’s DNS records. The team detected the anomaly within 19 minutes and initiated emergency response procedures, subsequently migrating to cow.finance and fully restoring the cow.fi domain within approximately 26 hours. CoW’s team noted that affected users were primarily those who visited the official website during the domain hijacking window. Preliminary estimates place losses at around $1.2 million. The cow.fi domain has since been reactivated with enhanced security measures—including RegistryLock—and the team has launched external security audits, legal proceedings against the perpetrators, and is developing a potential user compensation plan. The official statement emphasizes that the vulnerability has been patched and outlines plans to improve domain infrastructure security through governance initiatives and industry collaboration.
According to Cointelegraph, stablecoin issuer Circle faces a class-action lawsuit in the U.S. District Court for the District of Massachusetts for failing to freeze stolen funds during the Drift Protocol hack on April 1. Plaintiffs allege that attackers transferred approximately $230 million worth of USDC from Solana to Ethereum via Circle’s cross-chain transfer protocol (CCTP) within hours—and that Circle failed to intervene. The lawsuit accuses Circle of aiding and abetting conversion and of negligence. Cryptocurrency analytics firm Elliptic previously suspected the attack may be linked to North Korea–backed hackers; the stolen funds were subsequently converted into ETH and laundered through Tornado Cash.
Paolo Ardoino, CEO of Tether, tweeted that Tether has frozen 3.29 million USDT in the hacker’s address associated with Rhea Finance. Earlier reports indicated that Rhea Finance was attacked via a fake token contract, resulting in approximately $7.6 million stolen.
Arkham monitoring shows that a U.S. government address has just transferred $606,470 worth of Bitcoin to Coinbase Prime. This Bitcoin was previously seized by the U.S. government from Ilya Lichtenstein, the Bitfinex hacker. It remains unclear whether this batch of stolen Bitcoin will be sold on Coinbase.
According to The Block, Grinex—a Russia-linked cryptocurrency exchange—suspended withdrawals and trading on Thursday after suffering a hack reportedly worth approximately $15 million. Blockchain analytics firm Elliptic stated that the stolen funds consisted of USDT, which were subsequently moved across the Tron and Ethereum networks and swapped for TRX and ETH to reduce the risk of being frozen by Tether. Grinex said its wallet infrastructure was hit by a “large-scale cyberattack,” resulting in losses exceeding 1 billion rubles—approximately $13.1 million. Reports indicate Grinex is widely regarded as one of the successor platforms to sanctioned exchange Garantex, which U.S. authorities targeted last year for facilitating hundreds of millions of dollars in illicit fund flows.
According to security firm CertiK (@CertiKAlert), the DeFi protocol Rhea Finance has been attacked. The attacker created a fake token contract and injected liquidity into a new liquidity pool, apparently aiming to mislead oracles and the verification layer, ultimately withdrawing approximately $7.6 million in assets.
According to on-chain analytics platform Lookonchain (@lookonchain), the U.S. government deposited 8.2 BTC (approximately $606,000) into Coinbase Prime; these funds originated from assets previously seized in connection with the Bitfinex hack.
The Ethereum Foundation announced that its jointly launched ETH Rangers program has completed its six-month run. The program aims to fund independent researchers who make public security contributions to the Ethereum ecosystem. Seventeen grantees achieved multiple accomplishments in areas including vulnerability research, security tool development, threat intelligence, and incident response—such as recovering or freezing over $5.8 million in funds, reporting or documenting 785+ vulnerabilities and client issues, identifying approximately 100 attackers, delivering security education content reaching over 209,000 users, and handling 36+ security incidents. Additionally, the program engaged over 800 teams in security challenges, produced over 80 technical talks and training sessions, and developed or improved seven or more open-source security tools. The Ethereum Foundation stated that these outcomes demonstrate that decentralized networks require “decentralized defense” to effectively enhance the overall security and resilience of the Ethereum ecosystem.
According to CoinDesk, Drift Protocol—the largest decentralized perpetual futures exchange on Solana—announced it has secured up to $147.5 million in funding from Tether and its partners (including $127.5 million from Tether and $20 million from other partners) following a hack that stole over $270 million. The funds will be used to restore user assets and relaunch the protocol. The attack was carried out on April 1 by a North Korea–linked group that had posed as a quantitative trading firm and infiltrated the protocol for approximately six months, causing the DRIFT token’s value to plummet roughly 70%. The funding structure combines revenue-linked credit, ecosystem subsidies, and market-maker loans, aiming to cover approximately $295 million in user losses. Upon relaunch, the protocol will replace USDC with USDT as its core settlement layer; Tether will simultaneously provide fee waivers, user incentives, and liquidity support.
Odaily News Drift announced on its official website that Drift Protocol has received support from Tether and other partners. Tether intends to contribute $127.5 million, while other partners plan to contribute $20 million, collectively supporting user recovery efforts following the April 1st attack. This support package includes a $100 million revenue-linked credit line, ecosystem grants, and loans provided to market makers. Drift will establish a dedicated user recovery pool, aiming to gradually address the $295 million in outstanding user losses as trading revenue grows. Additionally, Drift will issue independent recovery tokens to affected users, which represent a claim on the recovery pool and are transferable. Drift is currently in the process of restarting the protocol, having engaged Ottersec and Asymmetric for audits, and is migrating its settlement layer from USDC to USDT. The previous attack resulted in the theft of assets worth approximately $295 million, while the insurance fund assets remained unaffected.
According to an official disclosure by Hyperbridge, the losses from the Token Gateway vulnerability incident on April 13 have been revised upward from an initial estimate of $237,000 to approximately $2.5 million. The increase stems primarily from losses incurred in incentive pools on Ethereum, Base, BNB Chain, and Arbitrum. The attacker extracted roughly 245 ETH from related contracts, then bypassed the MMR proof verification mechanism by forging cross-chain messages, minting 1 billion bridged DOT tokens and dumping them onto illiquid markets. Currently, some of the stolen funds have been traced on-chain to Binance. Hyperbridge is collaborating with Binance’s compliance team and law enforcement agencies to investigate the incident. Polkadot-native DOT and products such as Intent Gateway remain unaffected. The Token Gateway and bridged DOT contracts on the four affected EVM chains remain suspended. An external audit of the patched MMR verification logic is underway, and bridging functionality will be restored upon completion of the audit.
According to Decrypt, Blockstream CEO Adam Back stated at Paris Blockchain Week that he supports advancing Bitcoin’s quantum resistance upgrade on an opt-in basis, opposing proposals to forcibly freeze quantum-vulnerable addresses. He emphasized that “preparation well in advance is far safer than scrambling to respond during a crisis,” and noted that the Bitcoin community possesses strong coordination capabilities to rapidly address critical vulnerabilities. Previously, developer Jameson Lopp and five others proposed BIP-361 (“Post-Quantum Migration and Legacy Signature Sunset”), which advocates phasing out quantum-vulnerable addresses over five years and ultimately freezing coins held in unmigrated addresses—including approximately 1.7 million bitcoins held by Satoshi Nakamoto.