Since April, there have been frequent cryptocurrency security incidents. Who is to blame: North Korean hackers or a top AI model?

BlockBeats News, April 29, April 2026 has become the worst month for the crypto industry in terms of losses since an exchange was hacked for $1.4 billion in February 2025. According to DeFiLlama data, as of April 18, within just 18 days, 12 security incidents caused a total loss of over $606 million, equivalent to 3.7 times the total losses in the first quarter.

On April 1, the Solana ecosystem's perpetual contract protocol Drift Protocol suffered a $285 million attack. The attacker, since the fall of 2025, infiltrated the team through social engineering, built trust with security council members over several months, induced the other party to pre-sign multiple transactions that seemed harmless, and ultimately completed two transactions with a one-second interval to transfer permissions and drain liquidity.

On April 18, the LayerZero cross-chain bridge of KelpDAO, an Ethereum liquidity rehypothecation protocol, was breached, and 116,500 rsETH tokens (approximately $292 million) were stolen. The attacker, a subunit of the North Korean Lazarus Group named TraderTraitor, then deposited the stolen funds into lending platforms like Aave and borrowed around $190 million of real assets, causing Aave to incur over $123 million in bad debt and leading to a more than $13 billion evaporation of the overall DeFi TVL within 48 hours.

Furthermore, in late April, several small protocols experienced security incidents successively. Although the funds lost were not substantial, the industry's confidence in DeFi security has been greatly compromised.

On the one hand, North Korean hackers have shifted from "technical barriers" to "human penetration." The attack chain starts with fake Zoom meeting links, and AI's practical application in social engineering has also been implemented.

On the other hand, top-tier AI models like Anthropic's new Mythos model have become a new variable in altering the balance of offense and defense. This model's general-purpose code reasoning ability has surged, enabling it to autonomously discover thousands of zero-day vulnerabilities, including a 27-year-old kernel flaw in OpenBSD, and link multiple low-level vulnerabilities into a complete attack chain.

A more immediate threat is that a large portion of the code in the current DeFi ecosystem was deployed before modern code reasoning models emerged, allowing attackers to now leverage AI tools to systematically and inexpensively scan historical legacy configuration flaws, while the defense side's AI auditing tools have not yet been fully integrated. This "attackers using AI first, defenders playing catch-up later" time gap constitutes the most dangerous window of opportunity at present.