James Ding
Apr 17, 2026 06:47
At least 12 crypto protocols attacked since April 1 Drift Protocol hack, with losses including $13.7M from Grinex and $7.6M from Rhea Finance.
The Drift Protocol exploit on April 1 appears to have kicked off open season on DeFi. In the 16 days since attackers drained $280 million from the Solana-based perpetuals platform, at least 12 additional crypto protocols and exchanges have been compromised.
The victim list reads like a cross-section of the industry: CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, Binance Smart Chain’s TMM pool, Aethir, MONA, Zerion, Rhea Finance, and Russia-linked exchange Grinex. Combined with Q1’s already elevated hack activity—$168.6 million stolen from 34 DeFi protocols according to DefiLlama—the sector is facing its worst security crisis in years.
Fresh Wounds: Rhea and Grinex Fall Thursday
Rhea Finance disclosed Thursday that attackers exploited a vulnerability in its margin trading feature, executing what the protocol called a “coordinated pool manipulation attack” against its Lend smart contract. CertiK pegged the damage at $7.6 million.
The attack vector was clever. “The attacker created fake token contracts and added liquidity in fresh pools, likely misleading the oracle and validation layer,” CertiK explained. Sound familiar? The Drift attackers used a similar playbook—whitelisting a fabricated token (CVT) as collateral before draining real assets.
Hours earlier, Grinex suspended all operations after losing $13.7 million. The exchange blamed “unfriendly states” without elaborating, though the timing and methodology fit patterns associated with North Korean operations.
The Drift Playbook Spreads
What makes the Drift hack particularly dangerous isn’t just its $280 million price tag—it’s the sophistication of the social engineering that enabled it. Attackers spent months posing as a quantitative trading firm, building relationships with Drift contributors before exploiting Solana’s durable nonces feature to trick Security Council members into pre-signing malicious transactions.
Both the Drift and Zerion wallet exploits have been linked to DPRK-affiliated groups using AI-enhanced social engineering. These aren’t script kiddies hunting for unaudited contracts. They’re patient, well-resourced operations targeting human trust rather than code flaws.
The smaller hacks this month tell a similar story of varied attack surfaces. Silo Finance lost $392,000 on April 3 from a misconfigured oracle. Dango’s bridge aggregator bled $410,000 through a smart contract bug on April 13. Aethir’s GPU computing platform gave up $423,000 via access control failures on April 9. The BSC TMM/USDT pool lost $1.67 million to reserve manipulation.
Market Shrugs—For Now
Solana’s SOL token actually climbed 4.55% in the past 24 hours to $89, suggesting traders view these as protocol-specific failures rather than ecosystem-wide contagion. But with Drift’s hack disrupting at least 20 protocols that relied on its liquidity, the second-order effects may take longer to materialize.
Security researchers are already warning that advancing AI models could accelerate these social engineering attacks. When an attacker can automate relationship-building across dozens of targets simultaneously, the math changes dramatically in their favor.
For DeFi users, the message is clear: smart contract audits aren’t enough when the real attack surface is the humans holding the keys.
Image source: Shutterstock
