I've been thinking about this for days and I think it's time to write it down without sugar-coating it: the relationship between the rise of artificial intelligence and the surge of attacks on DeFi is no coincidence. It's a direct correlation. And it's getting more dangerous by the week.

This is not a hot take based on vibes. The data from the last month tells the story. And what it tells us is alarming.

---

Data first, opinions later: April 2026 in numbers

The current month is already rewriting the negative records of the sector. We're not talking about one or two isolated exploits — we're talking about a chain of incidents in audited protocols, with high TVL and serious teams behind them:

• Drift Protocol — April 1: $285M drained. Lazarus Group identified as the perpetrator.
• Vercel — April 19: OAuth compromised through a third-party AI app, affecting crypto projects deploying on its infrastructure.
• Volo Protocol (SUI) — April 23: $3.5M emptied from Vaults the same day I'm writing this.
• KelpDAO — April 18: $292M stolen. The largest DeFi hack of the year so far.

The truly bad part of KelpDAO wasn't the $292M from the direct exploit. It was the shockwave: $13B evaporated from total DeFi TVL in 48 hours, $8.45B leaving Aave alone out of pure contagion fear. A single point of failure, in a single protocol, and the entire ecosystem trembling.

Ledger said it bluntly: 2026 is on track to be the worst year in DeFi history in terms of hacks.

Lazarus Group alone has stolen over $575M from DeFi in the last 18 days. Real consequences? None. They're still operating.

---

And here comes AI: the Claude Mythos case

This week Anthropic published something that has stuck with me. Their new model, Claude Mythos, has identified thousands of zero-day vulnerabilities across all major operating systems and browsers. Among the findings:

• A 27-year-old bug in OpenBSD, one of the most hardened operating systems in the world.
• A 16-year-old vulnerability in FFmpeg that had passed through more than 5 million automated tests undetected.
• Exploit chains in the Linux kernel allowing full privilege escalation.

Anthropic has decided not to release it publicly. They've handed it only to strategic partners like Microsoft, Nvidia, Cisco and JPMorgan through what's called Project Glasswing.

It's a reasonable decision and, honestly, an appreciated one. But it raises the uncomfortable question nobody wants to ask out loud:

If Anthropic, a company with public accountability and ethical procedures, has a model capable of finding 27-year-old bugs in systems audited for decades… what do malicious actors with no self-imposed limits have?

---

Why DeFi is the perfect target

An attack on a traditional bank has immediate consequences: typified electronic fraud, international cooperation, Interpol, account freezes. An attack on a centralised exchange too: Binance, Coinbase or Kraken have legal teams, insurance and government relationships.

But a DeFi attack?

• Immutable contracts: once deployed, there's no rollback.
• Irreversible transactions: the money lands in the attacker's wallet block by block.
• Anonymous attackers: moving funds across 20 chains in minutes through bridges and mixers.

The probability of recovering the funds is minimal. The probability of identifying the attacker is low. The probability of real legal consequences, practically zero.

DeFi isn't the safest financial system in the world. It's the most attractive for attackers with AI tools, because the risk of retaliation is near zero and the payout per attack is enormous.

The asymmetry that's changing the game

Defenders use AI too. Companies like Trail of Bits, OpenZeppelin, Certora and the auditors of major protocols are integrating models for static analysis and formal verification. The difference is that they publish, they get audited, and they self-regulate.

Attackers don't.

The result is a brutal asymmetry: for every new defensive technique published in a paper, it reaches the hands of those who want to break it before it reaches the hands of those who want to ship it to production. And the powerful models that don't go public — the Mythoses, the internal GPT-Xs, the unreleased Chinese models — could be doing exactly the same thing, but with offensive intent.

---

What I see around me: risk management, not FUD

I'm talking to more and more people in the sector who are unwinding positions. Not out of panic. Out of cold calculation.

People who've been in DeFi for years and are now:

• Moving funds to cold wallets and reducing exposure to connected hot wallets.
• Cutting positions in high-TVL protocols (paradoxically, the most attractive for attackers).
• Exiting cross-chain bridges, historically one of the weakest points in the ecosystem.
• Closing vaults "just in case", even giving up interesting APRs.

This isn't FUD. It's risk management. And it's exactly the mindset we recommend in the ultimate crypto security guide we published a while back.

I'm personally less exposed every week and waiting to see what happens. Not because I think DeFi is dead, but because the environment has changed radically in just a few months. Attackers have access to tools that didn't exist two years ago. Defenders use the same tools, but always one step behind.

---

How to protect yourself right now (practical checklist)

If you're staying in DeFi — and many of us will — there are decisions you can make today to reduce your attack surface:

1. Move to cold storage anything that doesn't need to be productive. The golden rule: if it's not generating yield this month, it shouldn't be in a hot wallet. Brush up on the hot vs cold wallets guide to understand the differences.
2. Review active approvals on every chain with revoke.cash or similar tools. Every unlimited approval is a dormant attack vector.
3. Diversify protocols. Having everything in Aave is convenient, but a single exploit can wipe you out. Better 3 audited protocols with smaller exposure than one with everything.
4. Avoid unnecessary bridges. If you can operate natively on a chain, do it. Every hop is a point of failure.
5. Don't chase impossible APRs. When something pays 200% annually, it's usually because someone is going to foot the bill. And it's typically the last one in. Apply the basic principles from the crypto glossary before jumping in.
6. Run a personal audit every 30 days. Positions, approvals, active wallets. The same level of discipline you'd apply to a traditional portfolio.

Many of these are the same mistakes I made in my first years in crypto. The difference is that now, with AI on the other side, the cost of being wrong can be definitive.

---

My conclusion: heading into a very uncertain future

I'm not saying DeFi is going to die. I still believe it's a valuable technology and that it will keep existing. But the next 12-24 months are going to be brutal. And only the protocols that meet three conditions will survive:

• Continuous audits, not one-off ones. A single audit at launch is no longer enough; code and context change week to week.
• Multi-layer verification at every critical point: accounts, oracles, bridges, contracts, governance.
• Treating security as a process, not a marketing milestone. Aggressive bug bounty, dedicated response teams, transparent communication.

The rest will fall. And they'll fall faster than we think. AI is democratising capabilities that used to require years of experience. That's incredible for defenders who use it. And terrible for defenders who don't.

Because on the other side, they always do.

---

The question I'm leaving you with

Will AI be the next black swan event for crypto? I don't know for sure. Nobody does. But I think this is the conversation we should be having instead of debating the next meme coin.

If you want to dig deeper into how to protect your portfolio right now, start with the ultimate crypto security guide and review the wallets guide. And if you're still taking your first steps, refresh the basics with the DeFi beginner's guide.

What do you think? Are you reducing your DeFi exposure or holding firm? Tell me on X, at @concodefi. I'm reading.