The decentralized finance sector faced fresh security challenges this week. Two separate incidents rocked the industry within days of each other. Volo Protocol lost approximately $3.5 million in a targeted exploit. Meanwhile, Umbra Protocol took its hosted website offline after hackers routed stolen funds through its system.
Both events followed the high-profile KelpDAO exploit. That breach drained over $280 million from the protocol. Investigators have since linked the KelpDAO attack to North Korea’s Lazarus Group, a sanctioned hacking collective with ties to state-sponsored cybercrime.
Volo Protocol Exploit Drains $3.5 Million From Three Vaults
Volo Protocol, a liquid staking platform built on the Sui blockchain, confirmed a security breach on Tuesday. The attack targeted three specific vaults. Those vaults held wrapped bitcoin (WBTC), tokenized gold token XAUm, and the dollar-pegged stablecoin USDC.
The total loss reached approximately $3.5 million. The protocol acted quickly to freeze all affected vaults. It also coordinated with the Sui Foundation and ecosystem partners to contain any further damage.
The team confirmed that no shared attack vector existed across the remaining vaults. Approximately $28 million in assets held across other Volo vaults remained secure and unaffected by the breach.
🔒 Security Incident Update – Volo Protocol
We want to address our community directly and transparently about a security incident that occurred earlier today. Rest assured, Volo is prepared to absorb any loss.
What happened:
An exploit resulted in the removal of approximately…
— Volo (@volo_sui) April 21, 2026
Volo Team Moves Fast to Freeze Stolen Funds and Block Withdrawals
Within 30 minutes of the initial disclosure, the Volo team froze approximately $500,000 in misused funds. The team worked with on-chain investigators and partners to immobilize those assets, preventing any withdrawal or further movement.
The team later announced a major breakthrough in a recovery update. It successfully intercepted and blocked the hacker’s attempt to withdraw 19.6 WBTC. Those funds moved out of the attacker’s control entirely.
Volo is committed to absorbing all losses independently. The team stated clearly that it would not pass any financial burden to users. All affected vaults will remain frozen until the full investigation and recovery process concludes.
Umbra Protocol Takes Hosted Frontend Offline After Hackers Use Platform
Privacy-focused protocol Umbra announced it had taken its hosted website offline on Tuesday. The decision followed reports that approximately $800,000 in stolen funds had moved through the protocol. The team described the frontend shutdown as a maintenance measure.
Umbra stated it would restore access once it confirmed the site would not interfere with ongoing recovery and tracing efforts. The team noted it had already been in contact with security researchers working on the case.
The protocol identified Umbra as one of the tools the KelpDAO exploiter used while attempting to move stolen assets from Ethereum to Bitcoin. Investigators have linked that breach to the Lazarus Group, a North Korean hacking unit under heavy US sanctions.
As has been reported, Umbra was used to move funds associated with recent, high profile hacks. In total, we are aware of 349 ETH (~$800K) of stolen funds moving through the protocol. Reports of much higher amounts are inaccurate. A few notes:
First, as a stealth address system,…
— Umbra (@UmbraCash) April 21, 2026
Umbra Smart Contracts Remain Live — Protocol Cannot Fully Shut Down
Umbra made clear that taking its frontend offline does not disable the protocol itself. The smart contracts remain live and fully operational on-chain. The project cannot disable those contracts by design.
Users can still access the open-source code through local or self-hosted versions of the interface. The team acknowledged that there is nothing it can do to prevent access through those alternative methods.
This limitation reflects a fundamental tension in decentralized protocol design. Projects can restrict their own hosted interfaces, but they cannot control the underlying code once it is deployed on a public blockchain.
Tornado Cash Co-Founder Warns Umbra’s Frontend Move May Not Shield Developers
Roman Storm, co-founder of Tornado Cash, raised legal concerns about Umbra’s decision. He argued that making changes to a frontend could be treated as evidence of broader control over the protocol itself.
Storm drew on his own legal experience to illustrate the risk. He said prosecutors in his case rejected his claim that he could not control Tornado Cash. Authorities pointed to his ability to make frontend changes as proof of overall protocol control.
He added that the ability to deploy further updates through platforms like IPFS means developers may be seen as retaining full control over the system. His comments highlight the growing legal debate around open-source crypto tools and developer liability.
Umbra Says Its Privacy Design Does Not Shield Criminals or Hide Stolen Funds
The Umbra team pushed back against the perception that its privacy features could help criminals conceal stolen money. The protocol clarified that its design protects the identity of the receiver, not the sender.
This means funds routed through Umbra remain traceable back to their source. The team said all stolen funds that moved through the protocol can be identified by investigators. It presented this transparency as a reason why the platform is an ineffective tool for laundering proceeds.
The clarification aimed to distance the protocol from any suggestion that it knowingly facilitated illicit activity. The team emphasized its cooperation with the security researchers already working on the case.
KelpDAO Hack Casts a Long Shadow Over DeFi Security in 2026
Both the Volo and Umbra incidents unfolded in the aftermath of the KelpDAO exploit. That attack drained over $280 million from the protocol. Investigators linked it to the Lazarus Group, a North Korean state-sponsored hacking unit.
#PeckShieldAlert The @KelpDAO exploiter has begun laundering stolen funds (~$176M).
They have started bridging small batches of funds from #Ethereum to $BTC via @THORChain, @UmbraCash, @chainflip, and @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShieldAlert (@PeckShieldAlert) April 21, 2026
The Lazarus Group operates under heavy US sanctions. Crypto firms across the industry have taken steps to block or slow their attempts to move stolen assets. Umbra’s frontend shutdown fits within this broader pattern of platforms trying to limit the group’s ability to launder funds.
The KelpDAO breach also triggered collateral damage across other DeFi platforms. Leading lending platform Aave saw a surge in withdrawals. Users rushed to move funds out as uncertainty spread across the sector in the hours following the attack.
DeFi Losses Cross $10 Billion as Exploit Clusters Continue to Hit the Sector
The Volo breach added to a growing list of DeFi losses in 2026. According to data from DeFiLlama, decentralized finance has suffered approximately $7.78 billion in hacks to date. Bridge protocols account for an additional $2.90 billion in losses. The combined figure now exceeds $10 billion.
That total is roughly equivalent to the combined market capitalization of cryptocurrencies ranked between 10th and 15th globally. The scale of losses highlights the persistent security gap in the sector, even as institutional adoption continues to grow.
Security analysts have noted that exploits tend to arrive in clusters. One high-profile breach often precedes or inspires others. The events of this week support that pattern, with three separate incidents — KelpDAO, Volo, and Umbra — occurring within a narrow timeframe.
What Comes Next: Investigations, Post-Mortems, and the Path to Recovery
Volo has committed to publishing a full post-mortem once its investigation is complete. The team has not yet disclosed the specific vulnerability the attacker exploited or the identity of the individual or group responsible.
Umbra has said it will restore its frontend once authorities confirm it will not interfere with asset recovery efforts. The project continues to cooperate with security researchers involved in tracing the stolen funds.
Both cases add pressure on DeFi platforms and adjacent tools to improve security practices and incident response. Projects now face closer scrutiny over how fast and how effectively they respond when stolen funds begin moving across the market. For the broader sector, the question is no longer whether exploits will occur, but how quickly teams can contain the damage when they do.
Also Read: KelpDAO Exploiter Moves 75,700 ETH to New Wallets Minutes After Arbitrum Freezes Stolen Funds
FAQs
Q1: What happened in the Volo Protocol hack?
A1: Volo Protocol suffered a targeted exploit that drained approximately $3.5 million from three vaults holding WBTC, XAUm, and USDC. The team quickly froze affected vaults and worked with ecosystem partners to contain further losses.
Q2: Were all Volo Protocol funds affected by the attack?
A2: No. Only three vaults were impacted. Around $28 million in remaining assets stayed secure, and the protocol confirmed no shared vulnerability affected other vaults.
Q3: Why did Umbra Protocol shut down its frontend?
A3: Umbra Protocol took its hosted website offline after hackers reportedly routed stolen funds through its system. The shutdown was a precautionary move to support investigation and recovery efforts.
Q4: Can Umbra Protocol still be used while the frontend is offline?
A4: Yes. Even though the official interface is down, Umbra’s smart contracts remain active on-chain. Users can still interact with the protocol through self-hosted or open-source interfaces.
Q5: How are these incidents connected to the wider DeFi security issues?
A5: The Volo and Umbra incidents followed the major KelpDAO exploit, which has been linked to the Lazarus Group. These events highlight ongoing vulnerabilities in decentralized finance, where clustered exploits continue to cause significant financial losses across the sector.
Disclaimer
This article is published by Crafmin for informational purposes only and does not constitute financial, investment, or legal advice. The content is based on publicly available information and on-chain reports, which may change without notice. Readers are encouraged to conduct their own independent research and consult qualified professionals before making any financial decisions. Crafmin assumes no responsibility for any losses or damages arising from reliance on this information.
