Over $1B gone in four months — DeFi's worst security stretch

For all the optimism about AI agents and interop, 2026 opened as one of the worst years on record for DeFi security. More than $1 billion was stolen in the first four months alone. As the ecosystem matured, the attack surface didn't shrink — it grew.

The big one — KelpDAO, $292M

The largest hit of the year so far is KelpDAO at $292M. The Lazarus Group — North Korea's state hacking apparatus — was linked to both the KelpDAO and Drift Protocol attacks. This isn't opportunistic scammers; it's a well-resourced adversary treating DeFi as a funding line.

March — a record month

PeckShield counted roughly $52M stolen in March across about twenty significant incidents — a 96% jump over February's $26.5M. The most severe wasn't a Solidity bug at all: attackers exploited a weakness in AWS Key Management Service to reach Resolv Labs' cloud infrastructure and mint ~80M unbacked USR stablecoin tokens.

The Resolv exploit is the lesson of 2026: the contract was fine. The cloud account holding the keys was not. Your perimeter is bigger than your Solidity.

WHERE THE MONEY LEAKS — 2026
 cross-chain bridges   ###########   the most dangerous part of the stack
 infra / keys (KMS)    ######        Resolv: AWS KMS ──→ mint ~80M USR
 contract logic        ####          classic Solidity bugs

Industrialized, not random

The Chainalysis 2026 report documented $3.4B stolen in 2025, with North Korea-linked actors alone responsible for over $2B through increasingly sophisticated DeFi and cross-chain tactics. Cross-chain bridges remain the single most dangerous part of the stack — the uncomfortable flip side of the interop story: as chains converge, the blast radius of a bridge failure grows with them.

What it means if you build

• Bridges are the soft underbelly — minimize cross-chain trust; every hop is a target.
• Your perimeter isn't just the contract — cloud, KMS, CI/CD and admin keys are in scope. A Solidity audit doesn't cover your AWS account.
• Assume a nation-state-grade adversary — threat-model for Lazarus, not for a script kiddie.
• An audit is a snapshot, not a guarantee — monitoring, kill-switches and incident response matter as much as the audit PDF.

The anatomy of a 2026 hack

The pattern repeats, and the entry point is rarely the headline contract. It's a leaked or mis-scoped key, an admin/upgrade function, a price feed that can be nudged, or a bridge that trusts a signer set. Once inside, the attacker mints, drains or re-routes, then launders through cross-chain hops faster than anyone can freeze the funds.

recon ──→ entry (key / admin / oracle / bridge)
            │
            ↓ escalate (mint, upgrade, drain)
            │
            ↓ exfiltrate ──→ bridge hop ──→ bridge hop ──→ mixer
                             (minutes — faster than a freeze)

Recovery is the rarer story. A few protocols negotiated white-hat returns; most didn't. Onchain insurance and incident funds exist but are thin against nine-figure losses. The honest takeaway: prevention is the only cheap option — by the time funds move cross-chain, they're usually gone.

The irony writes itself: the same convenience that makes 2026's crypto feel seamless — bridges, shared infra, agents moving money on their own — is exactly what widened the attack surface. Convenience and risk grew together.