Decentralized finance faces an investor exodus as nearly $14 billion has been withdrawn from the sector following a series of major hacks, according to data from tracking firms and reported by outlets including the Financial Times and Regulation Asia.
The pullout reflects a sharp loss of investor confidence after two of the largest cryptocurrency exploits in history struck within weeks of each other in April 2026. On April 1, attackers linked to North Korea’s Lazarus Group drained $285 million from Drift Protocol, Solana’s largest decentralized exchange for perpetual contracts, according to blockchain intelligence firm TRM Labs.
Seventeen days later, on April 18, a second attack hit KelpDAO’s LayerZero-powered bridge, stealing roughly $292 million in rsETH tokens—about 18% of the token’s circulating supply, according to Chainalysis. The KelpDAO exploit exposed a critical vulnerability in cross-chain bridge infrastructure, with attackers exploiting a single compromised verifier configuration to drain the protocol’s assets.
The back-to-back attacks triggered a cascade of withdrawals across the broader DeFi ecosystem. Aave, Lido, and other major protocols saw users flee as confidence in the sector’s security deteriorated. JPMorgan noted in April that persistent hacks appear to push investors toward Tether’s USDT, as users move funds out of DeFi during stress, according to The Block.
April 2026 became the worst month on record for DeFi losses. A total of $635 million was stolen across 28 separate exploits in 30 days, with the Drift and KelpDAO hacks accounting for nearly 90% of the total, according to svrn.net. Q2 2026 extended the damage, setting an all-time high for exploit count—approximately 70 incidents and $746 million in losses, according to data from thedefiant.io confirmed by DefiLlama.
The Nature of the Breaches
Neither the Drift nor KelpDAO exploits stemmed from flawed smart contract code. Instead, both attacks exploited operational and infrastructure weaknesses. The Drift hack involved a six-month social engineering campaign by North Korean operators that began in fall 2025, targeting contributors and cloud assets, according to The Hacker News. Attackers used Solana’s “durable nonces” feature to trick Drift Security Council members into unknowingly pre-signing transactions, as detailed by Chainalysis.
The KelpDAO breach highlighted risks in bridge architecture. Attackers exploited a 1/1 decentralized verifier configuration—meaning a single compromised key could authorize transactions—to forge LayerZero messages and drain the protocol. The incident exposed how a single point of failure in cross-chain infrastructure can trigger a DeFi-wide liquidity crisis, according to Instagram posts and blockchain analysis.
Over $4.2 billion has been drained from DeFi protocols through smart contract exploits between 2020 and 2025, with most having passed formal audits, according to BugBlow. This pattern underscores that traditional security audits, while necessary, cannot catch all operational vulnerabilities or human-factor attacks.
Investor Recovery and Outlook
DeFi’s total value locked (TVL) has begun recovering from the April nadir. As of mid-June 2026, TVL climbed back above $130 billion, according to Yellow.com. However, this represents a decline from the $170 billion peak reached in October 2025, according to Binance data cited in a People Also Ask result from a June 2026 search. Value Add VC reported that $110 billion in TVL sits in DeFi in 2026, down from the $180 billion peak in 2021 but roughly 3x the 2022 bear-market floor of approximately $38 billion.
The exodus reflects deeper concerns about DeFi’s maturity. While the sector continues to attract capital, the concentration of losses among major protocols and the repeated exploitation of both code and operational vulnerabilities have prompted investors to reassess risk. The Financial Times reported in May that nearly $14 billion was pulled from decentralized finance specifically in response to the hacks, signaling a significant vote of no-confidence in the sector’s current security posture.
Sources
- Financial Times — Reported nearly $14 billion pulled from DeFi following North Korean-linked hacks in May 2026
- Regulation Asia — Confirmed $14 billion withdrawal from DeFi after major hacks raised security concerns
- TRM Labs — Attributed Drift Protocol $285 million hack to North Korean hackers on April 1, 2026
- Chainalysis — Provided forensic analysis of both Drift and KelpDAO exploits, detailing attack vectors
- CoinDesk — Reported KelpDAO exploited for $292 million with wrapped ether stranded across 20 chains
- The Block — Reported JPMorgan analysis linking persistent hacks to investor flight toward Tether
- The Hacker News — Traced Drift hack to six-month DPRK social engineering campaign beginning fall 2025
- svrn.net — Documented April 2026 as DeFi’s worst month with $635 million lost across 28 exploits
- thedefiant.io — Confirmed Q2 2026 as most-hacked quarter in DeFi history with 70 exploits and $746 million lost
- Yellow.com — Reported DeFi TVL climbed back above $130 billion as of June 16, 2026
- BugBlow — Documented $4.2 billion lost to smart contract bugs between 2020 and 2025, most having passed audits
- Value Add VC — Reported $110 billion+ in DeFi TVL as of June 2026, down from $180 billion 2021 peak
