DeFi Lost $840M in 60 Days. The Onchain Fingerprints Were Visible the Whole Time.

April and May 2026 will be remembered as the worst stretch in DeFi history. More than $840M drained across 24+ protocols in 60 days. Drift Protocol. Kelp DAO. Verus Bridge. Step Finance. Truebit. Resolv Labs. The list keeps growing.

Every post-mortem says the same thing: sophisticated attack, complex exploit, hard to anticipate.

We decided to look at the wallets instead.

---

The Incidents

April set the benchmark. Drift Protocol lost $285M on April 1st. Kelp DAO lost $292M on April 18th. Combined that's $577M in 18 days, both attributed to the same threat actor.

May continued the pattern. Verus Bridge lost $11.4M on May 18th, joining a growing casualty list that included Step Finance ($27–40M), Truebit ($26.2M), Resolv Labs ($25M+), and more than a dozen others.

Not every hack involves the same attack surface. Step Finance was a private key compromise, where attackers targeted executive devices and drained the protocol's own treasury wallets. Truebit and Resolv were smart contract logic exploits. Behavioral wallet scoring doesn't solve those problems. Those require device security, key management, and code audits.

What behavioral scoring does solve is a different problem: identifying the wallets that show up at your protocol before they strike. Drift, Kelp DAO, and Verus Bridge all involved distinct attacker wallets with publicly confirmed addresses and behavioral histories sitting onchain before a single dollar moved. Those are the wallets we scored.

---

What We Did

We scored the attacker wallets using KaelAi Shield, our behavioral threat detection product built for DeFi protocols. We did this after the fact, without knowing which wallets were attackers. Just wallet addresses and chains. The behavioral engine did the rest.

Every single wallet came back CCC, our lowest grade, with BLOCK or FLAG recommendations.

---

What the Wallets Had in Common

Across Drift, Kelp DAO, and Verus, the attacker wallets shared a consistent behavioral fingerprint.

Receive-only staging pattern

Every Drift attacker wallet had zero outbound transactions despite receiving massive inbound volume. This is a classic staging address signature: load the wallet, execute the exploit, drain everything out in one move. No legitimate DeFi participant operates this way.

Extreme value spike ratios

One Drift wallet showed a max-to-mean transaction value ratio of 2.7 billion. That number represents a single massive drain transaction dwarfing everything else — a mathematical signature of staged exploit infrastructure.

Zero known protocol interactions

None of the Drift or Kelp attacker wallets had interacted with a single verified DeFi protocol in their sampled transaction history. Attacker wallets don't warm up by using Uniswap or Aave. They exist purely for the exploit.

Coordinated creation windows

All four Drift attacker wallets were created within the same 44-day window. When multiple wallets appear at the same time with identical behavioral profiles, that's coordinated infrastructure, not coincidence.

Tornado Cash funding

The Kelp DAO attacker wallet was funded via Tornado Cash before the exploit — a deliberate attempt to obscure the funding source and origin chain.

---

The Honest Part

The Verus Bridge case taught us something important about the limits of behavioral scoring, and we're sharing it because the security community deserves honest tooling.

The attacker wallet scored CCC and returned a FLAG recommendation — correctly identified as suspicious. But our tornado_cash_funded flag didn't fire, even though PeckShield confirmed the wallet was TC-funded 14 hours before the exploit.

Why? The TC funding was two hops back. Tornado Cash funded an upstream wallet, which funded the exploit wallet through an internal bridge transaction. Our scoring engine was reading normal transactions only, not internal calls. The entire ~5,400 ETH funding of this wallet arrived through internal bridge calls — completely invisible to our detector.

We found two bugs. We fixed them both.

We're publishing this because the security community deserves honest tooling, not products that claim to catch everything. Knowing what a tool catches and what it misses is the only way to build a complete security stack.

---

Why Protocols Aren't Catching This

Most DeFi security spending goes toward smart contract audits, bridge security reviews, and multisig governance. All critical. None of them screen the wallets interacting with the protocol in real time.

The attacker gets in before any flag is raised. By the time the exploit executes, the behavioral signals have been sitting onchain for days or weeks — visible to anyone reading them. Most protocols aren't reading them.

---

What Behavioral Scoring Changes

KaelAi Shield isn't a replacement for smart contract audits. It's a complementary layer that answers a different question — not is this contract secure but is this wallet trustworthy enough to interact with it?

A single API call returns a five-tier threat assessment — BLOCK, FLAG, REVIEW, MONITOR, or ALLOW — based on behavioral analysis across 10 chains. The exploit registry checks every queried wallet against confirmed attacker addresses from past incidents in real time. Tornado Cash funding detection, coordinated creation window analysis, and staging pattern recognition run on every Shield query.

The attacker wallets behind April and May's biggest hacks would have returned BLOCK or FLAG recommendations before they ever touched a protocol.

---

The Next Hack Is Coming

$840M in 60 days isn't an anomaly. It's a stress test that DeFi keeps failing because the security stack is incomplete. Audits, bridges, and multisigs protect the protocol. Nothing is protecting the entry point.

The behavioral signals are there. They're onchain. They're readable. The question is whether your protocol is reading them before the next $285M disappears.

Follow @Kaelai_ on X for updates on KaelAi Shield, new chain integrations, and case studies from the agentic economy.