Evolution of Attack Patterns in the Crypto Industry: Insights from 20 Security Incidents

BroadChain learned that at 19:00 on April 21, 2026, Kelp DAO suffered a loss of $292 million due to an attacker exploiting uncollateralized tokens for borrowing on Aave, which is just one example in a recent series of security incidents. From Drift Protocol's $285 million to Step Finance's approximately $30 million, and Resolv Labs' around $23 million, the industry is facing ongoing security challenges. An analysis of 20 representative historical cases reveals several key trends: while technical vulnerabilities account for the majority of incidents, the losses per case are relatively limited. In contrast, permission and social engineering attacks, though fewer in number, contribute to the vast majority of the total losses. The scale of permission-based attacks continues to escalate, with the four largest loss incidents all linked to North Korean hacker groups. Meanwhile, the battleground for technical vulnerabilities is shifting, with cross-chain bridge security issues being particularly prominent. Among the top ten projects by losses: Bybit lost $1.5 billion in February 2025 due to front-end hijacking and multi-signature fraud by the North Korean hacker group Lazarus Group; Ronin Network lost $624 million in March 2022 due to a social engineering attack; Poly Network lost $611 million in August 2021 due to a cross-chain contract permission vulnerability; Wormhole lost $326 million in February 2022 due to a signature verification vulnerability; Drift Protocol lost $285 million in April 2026 due to targeted infiltration and pre-signed transaction scams; WazirX lost $235 million in July 2024 due to the gradual compromise of a multi-signature wallet; Cetus lost $223 million in May 2025 due to an arithmetic overflow vulnerability; Gala Games lost $216 million in May 2024 due to the leakage of a high-privilege account's private key; Mixin Network lost $200 million in September 2023 due to the leakage of a cloud database private key; Euler Finance lost $197 million in March 2023 due to inconsistencies in internal calculation logic exploited via flash loans. In recent cases, Hyperbridge lost approximately $2.5 million in April 2026 due to a proof verification logic flaw, and Venus Protocol lost between $3.7 million and $5 million in March 2026. These incidents reveal that attack patterns are shifting from simple smart contract vulnerabilities to more complex combined attacks targeting human-machine interaction weaknesses and permission management.