Kelp Protocol Loses $293 Million Following Cross-Chain Bridge Attack
Kelp lost around $293 million after an attacker exploited a vulnerability in the rsETH cross-chain bridge on LayerZero. The exploit targeted the lzReceive flow and allowed 116,500 rsETH to be moved to the attacker’s wallet. The team managed to pause contracts within 46 minutes, which stopped further withdrawal attempts, but the damage was already massive. It was also the second serious security incident for Kelp in roughly a year. The case is another reminder that bridge logic remains one of the weakest parts of crypto infrastructure.
North Korean Hackers Linked to $280 Million Drift DeFi Protocol Breach
Researchers linked the $280 million Drift breach to North Korean actors, specifically the Lazarus group. The attack reportedly bypassed updated multisig controls, used fake collateral and oracle manipulation, and ended with stolen assets swapped and bridged out. More than 100 investors later filed a class action case tied to the fallout. This was a patient, prepared operation using both technical and organizational weaknesses.
Wasabi Protocol Loses Over $5 Million After Admin Key Compromise
Wasabi was hit after an attacker gained access to an administrative key and used a UUPS upgrade path to replace contract logic. That gave them control to drain funds across Ethereum, Base, Berachain, and Blast. There was no multisig, no timelock, and no governance layer protecting the upgrade flow. This is the kind of incident that should be harder to see in 2026, yet it keeps happening. One compromised admin path still remains enough to break an entire protocol.
C2 Addresses for Crypto-Stealing Malware Found on Spotify and Chess.com
Researchers found that the MaskGram malware was hiding its command-and-control infrastructure inside public profiles on Spotify and Chess.com. Instead of connecting to obviously suspicious servers, infected systems pulled data from trusted public platforms. The malware targeted browser data, wallet credentials, emails, messengers, and VPN logins. It is a clever but simple idea: hide malicious infrastructure inside normal traffic so detection becomes much harder. Crypto users still underestimate how much malware now depends on blending in, not standing out.
Updated SparkCat Stealer Targets Seed Phrase Images on iOS and Android
A newer version of the SparkCat malware was found inside apps on both the Apple App Store and Google Play. It scans users’ photo galleries for images containing wallet recovery phrases and uploads matching images to attacker controlled servers. That alone should kill the idea that storing seed phrases as screenshots is “good enough for now.” It was never a smart habit, and now malware is being built specifically around it.
Hyperbridge Exploit: 1B Fake DOT Minted
Hyperbridge was exploited after an attacker gained admin rights and minted 1 billion fake ERC-20 DOT tokens on Ethereum. The entire amount was dumped in one transaction. The financial loss in dollar terms was smaller than some of the other incidents, but the lesson was the same. If a bridge or wrapped asset system still gives too much power to one privileged path, the attacker does not need sophistication. They just need access.
US Treasury Begins Implementation of GENIUS Act
Not all major April developments were hacks. The US Treasury started implementing the GENIUS Act, opening a 60-day public comment period and setting out a framework for stablecoin issuers. The law pushes full reserve backing, monthly disclosure, AML and CFT compliance, and federal oversight for larger issuers. Smaller issuers may still operate under state regimes if those standards are comparable. It is an important sign that stablecoin infrastructure is moving into a more formal regulatory phase.
Solana Launches STRIDE and SIRN Security Framework
The Solana Foundation introduced STRIDE, a structured security assessment framework, and SIRN, a coordinated incident response network. STRIDE evaluates protocols across multiple security areas, while SIRN is meant to help security firms coordinate in real time when something breaks. Projects above certain TVL thresholds may get continuous monitoring or funded formal verification. That does not solve everything, but it is at least the kind of response serious ecosystems need after repeated large-scale failures.
Bitcoin Developer Proposes Quantum Protection Tool for Wallets
A prototype tool was introduced to help Bitcoin wallets prepare for a potential future quantum threat. The idea uses zk-STARK proofs to verify ownership without relying on today’s signature model. It is still early, and there is no integration timeline, but it shows where the conversation is heading. Crypto has mostly treated quantum risk as a distant problem. That may still be true, but April showed that more developers are starting to think about practical fallback options.
Quantum Protection for Bitcoin Proposed Without Soft Fork
A separate proposal from StarkWare’s side took a different route. Instead of relying on a protocol upgrade or soft fork, it suggested a hash-based signature scheme that works within current Bitcoin Script rules. The tradeoff is cost. Estimates put it at around $75 to $150 per transaction, which makes it unrealistic for normal use or micropayments. Still, the proposal matters because it shows people are not waiting for consensus changes before exploring alternatives.
Obsidian Note App Used to Deliver PHANTOMPULSE Trojan
Elastic Security Labs described a campaign where attackers posed as venture capital firms, moved conversations to Telegram, and then convinced victims to open a shared Obsidian vault. Malicious plugins inside the vault triggered silent code execution. On Windows, the payload installed a remote access trojan. On macOS, the campaign leaned on AppleScript and Telegram as fallback channels. This is a good example of how modern crypto-targeted attacks no longer need obviously malicious software. They can piggyback on tools professionals already trust.
Fake Ledger App Steals 5.9 BTC
A fake Ledger app listed on the App Store stole 5.9 BTC after a victim entered their recovery phrase into the fraudulent interface. The funds were later routed to KuCoin deposit addresses. This is not a new category of scam, which makes it worse, not better. The same lesson keeps repeating: once a seed phrase is entered into the wrong place, the wallet is gone. There is no second layer, no brake, no buffer.
North Korean IT Workers Infiltrated Crypto Projects for Years
Security researchers and on-chain investigators reported that North Korean IT workers had spent years infiltrating crypto projects under fake identities. The exposed network allegedly included hundreds of accounts and around $1 million per month in crypto to fiat conversions. Some of the internal training material reportedly included reverse engineering and exploit development.
Kraken Reports Insider Access Incident and Extortion Attempt
Kraken disclosed that around 2,000 accounts may have been affected by insider related incidents involving improper access by support staff to restricted user data. The company said there was no infrastructure breach and no client fund loss, but at least one employee had reportedly been recruited by attackers. This matters because it shows how fragile internal permissions can become in large platforms.
New Lazarus macOS Campaign Targets Crypto Firms
Researchers warned about a new Lazarus linked campaign targeting macOS users in crypto and fintech. Victims were approached through fake meeting invites and pushed into pasting a so-called fix command into the terminal. From there, malware could gain access to corporate systems and SaaS tools. Several variants were identified, including fake Cloudflare domains. The campaign was also linked to the broader pattern behind recent DPRK-related hacks. Again, the key point is not technical novelty. It is how effective simple social engineering remains when combined with believable context.
What April Actually Showed
If you look at these incidents together, one point becomes hard to ignore.
Crypto has a long list of security problems, and they are stacking.
The weak points are everywhere: bridge validation, admin privileges, multisig design, upgradeability, app distribution, device hygiene, insider access, contractor screening, social engineering, and recovery models built around seed phrases. Some of these are protocol level issues. Some are product issues. Some are just old operational mistakes that the industry still has not grown out of.
The deeper problem is that too much crypto infrastructure still assumes users and teams will behave perfectly. They will not. People panic. People trust the wrong app. People reuse bad security habits. Attackers know this, and they keep designing around it.
That is why the next standard in self-custody and protocol design cannot just be “more education.” It has to be better architecture. Less blind trust. Fewer single points of failure. More policy controls. More delays where they matter. Better recovery design. Better internal governance.
April was not a one off bad stretch. It was a very clear picture of what crypto security still looks like when real pressure hits.
Bron is built to withstand that kind of pressure and we'll keep building.
