In 2026, the global cryptocurrency security situation reached an extremely high-pressure turning point. According to AiCoin, citing the latest report from TRM Labs, the total losses from global cryptocurrency hacking attacks reached approximately $577 million in just the first four months of 2026, with about 76% of the stolen funds linked to North Korean-related organizations. This data not only indicates that the landscape of hackers is rapidly concentrating among highly organized professional teams but also reveals an exponential growth trend of this threat: North Korea's share of global cryptocurrency theft has surged from 22% in 2022 to 64% in 2025, further climbing in the first four months of this year. Since 2017, such organizations have accumulated illegal profits exceeding $6 billion through on-chain attacks, becoming a core variable threatening the stability of the on-chain ecosystem.

Meanwhile, the defense system of DeFi protocols is facing severe challenges. Recently, Wasabi Protocol and the perpetual contract protocol Aftermath Finance deployed on Sui encountered attacks, reigniting market concerns about the safety boundaries of protocols and mechanisms for protecting user assets. According to monitoring data from AiCoin, Wasabi Protocol experienced about $5.15 million in abnormal capital flow on Ethereum and Base chains, with confirmed losses of about $2.9 million; Aftermath Finance was forced to suspend its protocol due to a vulnerability attack. Although Aftermath's officials have promised to complete full compensation for users within 48 to 72 hours and received assistance from the Sui Foundation, this "lose before compensation" model still highlights the current imbalance in on-chain offense and defense. As the technical means of professional hacker organizations and defense strategies of the protocols fully upgrade, the on-chain security risks of 2026 are no longer random sporadic events but a systemic survival challenge.

76% of Losses Attributed to North Korea: The Hacker Landscape is Being Redefined

The latest report from TRM Labs shows that in the first four months of 2026, the total losses from global cryptocurrency hacking attacks reached about $577 million. Alarmingly, around 76% of these losses (approximately $438 million) have been explicitly attributed to hacker organizations related to North Korea. This data not only refreshes the record for the share of a single background organization in attack losses but also reveals that global on-chain security threats are showing a trend of high specialization and centralization. Reviewing historical data from the past few years, the weight of North Korean-related organizations in cryptocurrency theft has shown a stepwise increase: starting from 22% in 2022, through steady growth to 37% in 2023 and 39% in 2024, and then surging to 64% in 2025, eventually reaching 76% in early 2026. According to statistics, since 2017, these organizations have accumulated illegal profits exceeding $6 billion through targeted attacks, shifting their modus operandi from broad-spectrum nets to precise hunting of high-value protocols.

In several security incidents that occurred in April 2026, the characteristics of such "major cases" were particularly evident. TRM Labs pointed out that the two largest attacks in that month—about $292 million targeting KelpDAO and approximately $285 million stolen from Drift Protocol—almost accounted for the vast majority of losses during this period. It is noteworthy that these two major incidents only accounted for about 3% of the total number of global hacking attacks during the same time frame, yet they dominated in terms of loss amounts. This risk structure of "a few major cases compounded by numerous small incidents" reflects that top hacker organizations are no longer satisfied with sporadic exploits of protocol vulnerabilities but are instead precisely targeting DeFi infrastructure with deep liquidity and core permissions. This extremely high efficiency of attacks often results in a single breach evolving into systematic capital loss amounting to hundreds of millions of dollars, making the on-chain security situation in 2026 increasingly severe.

Wasabi Attacked for $5.15 Million: Privileges and Deployers Exposed

According to monitoring data from BlockSec Phalcon, Wasabi Protocol experienced a series of abnormal transactions on Ethereum and Base chains around April 30, totaling approximately $5.15 million in abnormal capital flow. Subsequently, the security agency CertiK Alert confirmed this attack and noted that the currently verified certain losses amount to about $2.9 million. This attack not only affected multiple public chains but also through abnormal privilege change logic, directly exposed the security shortcomings of DeFi protocols concerning centralized management permissions.

A deeper analysis of the attack pathway reveals a typical funding hijacking triggered by deployer privilege leakage. Based on tracking information from CertiK and BlockSec, an account initially funded by Tornado Cash was anomalously granted a core privilege role related to `ADMIN_ROLE`. With this privilege, the attacker directly intervened in the capital allocation of core contracts such as `WasabiLongPool`, `WasabiShortPool`, and `WasabiVault`. Security analysis suggests that the ability of the attacker to obtain such privileged roles indicates that Wasabi's deployer wallet has most likely been compromised, allowing hackers to bypass conventional defense mechanisms and implement attacks in the guise of "official authorization."

Currently, this approximately $2.9 million of stolen funds has been distributed and stored in three specific wallet addresses. The Wasabi team subsequently posted a message acknowledging the issue of theft and stated that they are actively investigating the root cause of the incident. To prevent further losses, the project team urgently recommended that all users suspend any interactions with the protocol contracts until further notice. This incident once again proves that in the current on-chain environment, the security of deployer private keys and the granularity of permission management remain the weakest link determining the survival of DeFi protocols.

Aftermath Attacked: Sui Foundation Joins to Provide Support

While Wasabi Protocol struggled with privilege management failures, core protocols within the Sui ecosystem were not spared either. According to monitoring data and public information from AiCoin, around April 30, the perpetual contract protocol Aftermath Finance deployed on the Sui network encountered a vulnerability attack. To prevent the attacker from further exploiting the vulnerability to drain funds, the project team took emergency circuit breaker measures immediately upon discovering abnormalities, announcing the immediate suspension of the operation of relevant protocols. This response reflects the standardized risk control logic of current DeFi protocols in the face of sudden on-chain threats by sacrificing short-term availability to protect remaining assets.

In contrast to many protocols that fall into prolonged investigation periods, the Aftermath incident quickly received support from foundational powers within the ecosystem. The Sui officials disclosed that the Sui Foundation, in collaboration with Mysten Labs, has intervened in this matter and will actively assist Aftermath Finance in the efforts to recover user funds and ensure the continued operation of the protocol after repairs. This "official intervention" situation somewhat alleviated the panic among Sui ecosystem users regarding asset security. Compared to the unclear compensation plan in the Wasabi incident, Aftermath provided a very clear compensation timeline: the officials stated that they expect to complete full compensation for affected users within 48 to 72 hours and that the team is fully focused on facilitating the return of funds.

Although specifics regarding the technical cause of the vulnerability, the attacker’s execution path, and the accurate scale of stolen funds have not yet been fully clarified, the Aftermath team expressed gratitude to users for their patience and emphasized that the compensation work has entered the practical stage in their public responses. This efficient response mechanism reflects the determination of both the ecosystem and the project team in reputation management and resource investment. For DeFi investors, while the lack of technical details remains a potential shadow, in an environment of frequent hacker attacks, the rapid compensation commitments backed by the foundation are becoming crucial chips to maintain ecosystem confidence and user stickiness.

Attack Response Divisions: Contrasting Approaches of Wasabi and Aftermath

In the combat against hacker attacks, Wasabi Protocol and Aftermath Finance displayed vastly different response logic and risk governance paths. According to monitoring and security agency data from AiCoin, Wasabi Protocol experienced about $5.15 million in abnormal fund flows on Ethereum and Base chains, with CertiK Alert confirming losses of approximately $2.9 million. Security analysis pointed out that this incident exposed a highly destructive structural risk: an account funded by Tornado Cash was granted core privileges such as `ADMIN_ROLE`, directly participating in the fund operations of WasabiLongPool, WasabiShortPool, and WasabiVault. This abnormal privilege points to the possible compromise of the deployer wallet. In the face of the crisis, Wasabi's team's current focus remains stuck at the preliminary investigation and risk isolation stage, merely recommending users to suspend interactions without publishing any clear compensation ratios or timelines for financial reimbursement, leaving user trust in a vacuum of high uncertainty.

In contrast, the perpetual contract protocol Aftermath Finance encountered a vulnerability attack on April 30, promptly showcasing an "underwritten" mechanism driven by ecosystem endorsement. After the protocol was suspended, the Sui Foundation and Mysten Labs immediately intervened publicly, stating they would assist in recovering funds and ensuring continued operation of the protocol. This coordinated response from the project team to the underlying public chain developers allowed Aftermath to make clear commitments in a very short time: they expect to complete full compensation to users within 48 to 72 hours. Unlike the passive situation caused by Wasabi's loss of control over privilege management, the Aftermath incident emphasizes ecosystem-level credit support, stabilizing market expectations by introducing strong external resources even when the path to recovering funds remains unclear.

These two incidents reflect two evolutionary directions in security governance within the DeFi industry. Wasabi's dilemma lies in the fact that once the overly centralized permission design collapses, the project team often lacks sufficient buffer space for subsequent repairs, relying only on lengthy technical audits and fund tracking. Conversely, the Aftermath case demonstrates that in the context of a mature public chain ecosystem, deep involvement of foundations is becoming a powerful non-technical defensive mechanism. However, whether such a path relying on ecosystem endorsement has universal applicability remains in question. In the long run, the security of DeFi protocols cannot solely rely on post-incident "administrative intervention"; how to mitigate the deployer wallet risks similar to Wasabi from a permission architecture perspective, combined with a rapid response mechanism like Aftermath's, will be key to the protocol's survival amid frequent attacks from North Korean hackers. The specific effectiveness of these measures still needs to be further validated by the actual arrival of funds and the recovery of protocol liquidity.

In an Era of Frequent Attacks, What Security Signals Should Protocols and Users Monitor?

In the face of the alarming situation where organizations related to North Korea account for a skyrocketing 76% of global cryptocurrency attack losses, the cryptocurrency industry has entered a long-term extreme security environment dominated by a small number of high-risk counterparties, compounded by multiple medium and small-scale events. According to AiCoin data, since 2017, these organizations have accumulated illegal profits exceeding $6 billion through hacking attacks, exhibiting extremely high specialization and centralization characteristics in the first four months of 2026. For DeFi protocols, the focus of security defense must shift from generalized vulnerability scanning to more core permission governance. The lesson from the Wasabi incident regarding the abuse of ADMIN_ROLE privileges indicates that the security level of the deployer wallet, the substantive operation of multi-signature mechanisms, and the enforced constraints of time locks are key to isolating risks. Meanwhile, the speed of response after an attack and communication transparency, such as Aftermath Finance's commitment to full compensation within 48 to 72 hours, will directly determine the upper limit of user trust recovery for the protocol.

Future market observations should focus on three key dimensions: first, whether large protocols begin to actively disclose and strengthen permission decentralization plans to avoid disastrous losses caused by single-point privilege collapse; second, whether public chain foundations (such as the Sui Foundation and the intervention model of Mysten Labs) can establish standardized emergency security and compensation frameworks to provide foundational endorsement for ecosystem projects; lastly, the degree of refinement by security companies and intelligence agencies in marking tactics and addresses related to North Korean attacks will directly impact the entire industry’s warning ability regarding high-risk protocols. In the high-frequency attack situation of 2026, only by transforming on-chain monitoring alerts into real-time risk mitigation actions can the DeFi ecosystem uphold its safety bottom line amidst ongoing financial competitions.

Join our community, let’s discuss and become stronger together!
Official Telegram Community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-Chain: https://aicoin.com/hyperliquid
AiCoin Exclusive Hyperliquid Benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin Exclusive Aster Benefits: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。