Another DeFi platform just got hit with a $1.5 million exploit, services suspended

Lending protocol Purrlend confirmed Saturday that it detected irregular activity across its deployments on both the MegaETH and HyperEVM networks and has paused the protocol while it investigates.

For context, both are newer blockchain networks designed for speed. MegaETH is an Ethereum layer-2 network backed by Ethereum co-founder Vitalik Buterin that launched its public mainnet in February.

HyperEVM is the smart contract layer of Hyperliquid, a blockchain built primarily for trading. Purrlend operates as a lending platform on both — meaning users deposit crypto assets and either earn interest or borrow against their holdings.

On-chain analyst kirbyongeo broke down the damage.

The attacker drained roughly $1.2 million from HyperEVM — including 449,683 USDC and 214,125 USDT0, both dollar-pegged stablecoins, along with 194,745 USDH, another stablecoin, and smaller amounts of UBTC (a tokenized version of Bitcoin), wstHYPE, UETH, kHYPE, and WHYPE. 

From MegaETH, the attacker took another $324,549 in USDT0, WETH (wrapped Ethereum), and USDm. The grand total sits at approximately $1.52 million.

The exploiter's wallet addresses have been identified on both HyperEVM and MegaETH block explorers — public ledgers where anyone can track the stolen funds — though nothing has been recovered.

TheStreet Roundtable reached out to Purrlend for comment and had not received a response by the time of publication.

Related: Major DeFi hack becomes the largest of 2026 yet

April's $606 million nightmare

Purrlend is not an isolated incident. 

It lands in what is being called the crypto's "$606 million April nightmare" — 12 hacks in 18 days, the worst month for digital asset security since the Bybit heist in February 2025.

The largest was KelpDAO, where an attacker drained $292 million in wrapped ether from a cross-chain bridge — infrastructure that lets users move crypto between different blockchains — on April 18. 

The attacker overwhelmed a single security checkpoint with junk traffic and fed it fake transfer requests. The exploit was later attributed to North Korea's Lazarus Group, the state-backed hacking unit responsible for some of the largest crypto thefts in history.

 The fallout triggered $13 billion in DeFi withdrawals in just two days, with lending giant Aave alone losing $8.45 billion in deposits as users rushed to pull their money out.

Drift Protocol, a trading platform on the Solana blockchain, was hit on April 1 for $285 million after attackers spent three weeks impersonating a trading firm and tricking the protocol's security council — a small group of keyholders who approve major transactions — into pre-signing approvals. Once they had the signatures, the attackers drained the platform's vaults in roughly 12 minutes.

Other April incidents include Volo Protocol losing $3.5 million from vaults holding Bitcoin and stablecoin deposits on April 22, GiddyDefi being exploited for $1.3 million on April 23 through a flaw in how it verified transaction approvals, and decentralized exchange aggregator CoW Swap losing $1.2 million to a domain hijacking attack on April 14.

More from TheStreet Roundtable:

• Major DeFi hack becomes the largest of 2026 yet
• Tether freezes $344 million tied to illicit activity
• Treasury Secretary Bessent introduces new plan to combat money laundering

2026's running total

DeFi losses — referring to hacks targeting decentralized finance platforms, which are crypto-based alternatives to banks and brokerages that let users lend, borrow, and trade without intermediaries — have now topped $750 million in 2026 through mid-April. 

With Purrlend and other late-April incidents, the number is climbing past $800 million. Q1 alone saw over $137 million drained, including Step Finance's $27.3 million treasury theft in January.

The pattern has changed. Traditional coding errors in smart contracts — the self-executing programs that run these platforms — are reportedly down roughly 89% from prior years, meaning security audits are catching more of the obvious bugs. What audits cannot catch — social engineering, forged cross-chain messages, compromised keyholders — is now where the real damage is concentrated.

Cross-chain bridges in particular keep producing the largest single-day losses in crypto history. As Galaxy Research noted in its KelpDAO postmortem, the weak security setup that enabled that attack was a known design risk that had been publicly discussed for months before it was exploited.