KelpDAO Exploit Becomes Largest Crypto Hack of 2026 With $294 Million Siphoned in Massive Cross-Protocol Attack

The liquid restaking protocol KelpDAO has been hit by a massive security breach, resulting in the theft of approximately $293.7 million and marking it as the largest cyberattack in the cryptocurrency sector for 2026. Multiple on-chain security firms and independent investigators first flagged the suspicious activity late Saturday evening, noting that the perpetrators successfully targeted the protocol’s bridge contract to siphon funds from its native liquid restaking token, rsETH. The KelpDAO team confirmed the incident hours later, stating they have paused all smart contracts across the Ethereum mainnet and several Layer-2 networks while they collaborate with security experts, auditors, and partners like LayerZero and Unichain to mitigate the damage.

The mechanics of the exploit involved the creation of unbacked rsETH tokens, which the attacker then used as collateral to drain real assets from the broader ecosystem. According to data from security firm Cyvers, the bad actor quickly swapped the illicitly generated tokens for ETH and distributed the haul across the Ethereum and Arbitrum networks. In an effort to further obscure and liquidate the funds, the attacker deposited the stolen assets into prominent lending protocols such as Aave V3, Compound V3, and Euler. By leveraging these platforms, the hacker managed to borrow over $236 million in WETH, effectively leaving several major DeFi platforms with substantial amounts of bad debt.

Industry experts are characterizing the KelpDAO breach as a significant “contagion event” rather than an isolated protocol failure. Because rsETH is deeply integrated into various lending markets, vaults, and liquidity pools, the exploit caused an immediate ripple effect across the decentralized finance landscape. The sudden influx of unbacked assets forced at least nine different protocols to take emergency action. Aave V3 and SparkLend were among the first to freeze their rsETH markets, while other platforms like Fluid moved to contain risk and prevent market-wide liquidations that could stem from the forced volatility.

The fallout from this incident has now officially surpassed the $280 million Drift Protocol exploit, previously the year’s most significant security breach. While the KelpDAO team remains in constant communication with top-tier security sleuths and infrastructure providers, no official update has been provided in the last ten hours regarding a potential recovery plan or the fate of user deposits. This incident serves as a stark reminder of the systemic risks inherent in cross-chain bridge architecture and the speed at which a single vulnerability can impact the entire DeFi ecosystem.