😵‍💫 Biggest hack of 2026 in DeFi.

PLUS: Europe is being asked to protect its banks from something it is not permitted to examine.

Author

Cryptopolitan News
April 21, 2026 • Estimated Reading Time: 5 minutes

Biggest hack of 2026 in DeFi. It broke one of the oldest promises in crypto with its response.

On the afternoon of Saturday someone came up with a message. That is where it started.

KelpDAO's bridge leveraged LayerZero V2 and as with much of cross-chain infrastructure it had a small group of validators tasked to validate the legitimacy of transfers from one blockchain to another.

The days leading up to the hack the attacker was using stealth to gain control of the right nodes. When the moment was ripe, they took down all remaining of them with a DDoS attack and bashed confirmation out.

The bridge believed it. Kelp's Ethereum adapter released 116,500 rsETH tokens in one block without any assets being destroyed on the other side. Seconds later that 116,723 token adapter balance had dropped to 223. Approximately 18% of total rsETH supply had recently been minted out of nowhere.

That was $292 million. The biggest DeFi exploit of 2026, a few million past the Drift hack on April 1.

The part that made it worse

Most hackers take the money and flee buy this one had a different thought about it.

The attacker deposited 89,567 of the newly-minted rsETH into Aave lending markets in Ethereum and Arbitrum within hours of the exploit, and used it as collateral to borrow ~82,650 WETH -- $19 million worth of real assets -- backed by tokens that were themselves backed by zero.

The major problem was that when rsETH collapsed, Aave found itself in the unfortunate position of holding collateral worth less than what the loans were for.

Well, rsETH had already become an integral part of DeFi, and as such the problem was instantaneous. rsETH was accepted as collateral by Aave, Compound, Euler, SparkLend and Fluid. All of them froze simultaneously.

Within 48 hours, the TVL of Aave plummeted from almost $15 billion to $8.4 billion. AVEO estimates its bad debt across seven affected markets to be between $123.7 million and $230.1 million, respectively. The Aave DAO treasuries have $181 million. That gap is not comfortable. Preliminary on-chain forensics lead back to Lazarus Group, the state-backed North Korean collective that has stolen billions in crypto over the years.

Then Arbitrum went and did the one thing it was not meant to do

Two days after the hack on April 20, Arbitrum's Security Council transferred 30,766 ETH out of the attacker's wallet into a new address. Without the attacker's signature. Without their keys. The council, under an emergency power known as a forced state transition, agreed to transfer the funds after learning of the identity of the exploiter from law enforcement. The ETH will be frozen until Arbitrum governance decides what to do with it. Roughly 25 cents of every dollar stolen ($71 million) recovered

This was the appropriate decision in practice. They had yet to be bridged back to Ethereum. The window was open. The focus of bad debt was a real and spreading contagion. Acting made sense.

But here is what it means. A leading Layer 2 blockchain just proved it can sweep money out of your wallet without consent And this time, the Security Council exercised that power against a criminal. The principle it invoked does so without that caveat.

Crypto's pitch to the world has always been that the code is the law and no one is above it. Not a bank, not a state. That argument held through KelpDAO's hack. Arbitrum's response did not.

The bigger picture

This week Ledger's CTO stated that 2026 appears to be "one of the worst years for DeFi security ever". KelpDAO is the second nine-figure exploit in 3 weeks — both North Korean-linked, all bridge infrastructure, and collateral contagion propagating instantly across protocols.

But this composability that is DeFi's blessing is also why a single well placed exploit can cause so much damage. rsETH was not isolated. It was infrastructure. When that failed, it then failed across 20 chains at once, at machine speed, with humans rushing to freeze markets by hand long after the damage was done.

The emergency key managed to get that job done this time. But each time it is used, that line of DeFi vs a bank with some additional steps becomes even more blurred.

POLL: Did Arbitrum do the right thing?

Login or Subscribe to participate in polls.

📊 Market Watch

1️⃣ Bogus Hormuz open offers targeted at stricken ship owners One got shot for paying in crypto.

MARISKS, a Greek service that assesses risks faced by ships and freight companies, said Monday unidentified people have been contacting shipping firms with all types of vessels trapped inside the Gulf informing them to pay in either Bitcoin or Tether for safe passage through Hormuz.

The messages purport to be from authorities in Iran. They do not. This scam requests vessel documents first, sets a fee payable in BTC or USDT next and then guarantees a transit window. MARISKS think that at least one vessel did pay. One of the presumed victims is a ship that tried to depart on Saturday and was fired at by an Iranian ship. Some 2,000 ships and 20,000 seafarers remain stuck.

Oil Monday soared to 6% as the number of daily strait traffic dropped to seven vessels. The Iranian toll systems are virtually identical on the outside in both real and fake forms. That is the point.

2️⃣ A total of $160 billion in refunds from tariffs. Walmart is owed a total of $10.2 billion.

In February, the Supreme Court ruled against said IEEPA duties which helped pave the way for the Trump administration to open its portal Monday.

Phase 1: Covers some unliquidated entries; refunds within 60–90 days after filing. According to analyses conducted by Citi, Walmart is owed $10.2 billion, Target $2.2 billion, Nike $1 billion, Kohl's $550 million, Gap $400 million and Macy's$320 million.

This cash wouldn't figure in guidance, but could be used for buybacks or debt paydowns. Also on the same day as the portal opening, Trump tweeted: 50% Tariffs on any Country supplying arms to Iran (with no exceptions).

3️⃣ Military Officers in Israel embezzled millions via crypto wallets. This is the second case in two months.

Former Israel Police, classified units of the IDF charged with bribery, money laundering after allegedly stealing tens of millions and moving bulk through crypto wallets. More than 50 million shekels, or $13 million, worth of wallets and cash was confiscated by authorities.

There was cooperation with the Shin Bet, Military Police, and Police Internal Investigations. In a different case two months ago, a reservist was charged for betting on Polymarket using classified military intelligence.

According to Chainalysis, illicit crypto transaction volume peaked at $154 billion in record highs in 2025. That same year, Iran moved $7.78 billion worth of cryptos through crypto flows. Through a ruble-backed token, Russia moved $93.3 billion within less than a year. The boundary between state finance and malfeasance has seldom appeared so blurry.

 🐥 Tweet of the day

Are you watching?

Europe is being asked to protect its banks from something it is not permitted to examine.

And that is basically what Bundesbank president Joachim Nagel said in Rome on Tuesday. Anthropic's Mythos is the model that autonomously discovers and exploits software vulnerabilities at machine speed, and there are no access points between it and Europe's financial institutions. The partners of Project Glasswing are near-entirely American. The risk posed by the current upheaval is one that European banks are struggling to quantify.

The numbers Nagel gave provide a glimpse into why this is structural, not temporary. Here is the data that US institutions created 40 leading AI models in 2024. Europe built three. Private investment in AI in the US reached $109 billion. Europe managed $19 billion. Private investment in China was lower, but it invested an estimated $62 billion through state support. The EU was also responsible for $1.2B of government AI investment The gap is not closing.

Also, the same week that Nagel made his remarks, Anthropic revealed a 10 year $100 billion deal with Amazon to reserve up to five gigawatts of compute for Claude training and deployment. More than 100,000 customers at this point operate Claude on Amazon Bedrock. The compute advantage is marching faster than any regulatory framework can react to.

Europe has sound privacy law and serious institutions. It lacks a frontier AI model, it lacks a sovereign compute stack, it does not have a seat at that table where Mythos access decisions are made. Nagel has all of these gaps in his sights at once. But the more pressing question is whether or not anyone with enough capital to buy those clubs and close them down is paying attention.

Meme of the day

Join the Conversation!

We'd love to hear your thoughts and comments. Join our community and stay updated with the latest trends and discussions in crypto.