TLDR:
- Purrlend lost $1.5M across HyperEVM and MegaETH in a suspected coordinated dual-network exploit.
- HyperEVM bore the larger loss at $1.2M, while MegaETH accounted for roughly $324,000 in stolen funds.
- Stolen assets included USDC, USDT0, USDH, wstHYPE, kHYPE, WHYPE, UETH, WETH, and USDm tokens.
- April 2026 is on pace to rank among the worst months for crypto theft, with over $600M lost in 18 days.
Purrlend, a decentralized lending and borrowing protocol built on HyperEVM, suffered a suspected exploit on April 25, 2026.
The attack hit two separate networks simultaneously, HyperEVM and MegaETH. Combined losses reached approximately $1.5 million.
The incident was first flagged by Kirby Ong, founder of HypurrCollective. Purrlend has since paused all protocol operations while its team investigates the breach.
Attack Drains Funds Across Two Blockchain Networks
The exploit targeted Purrlend on both HyperEVM and MegaETH in a coordinated dual-network attack. HyperEVM suffered the larger share of losses, with roughly $1.2 million drained from the protocol. MegaETH accounted for the remaining $324,549 in stolen funds.
Kirby Ong, founder of HypurrCollective, was the first to raise the alarm on social media. He posted a detailed breakdown of stolen assets across both chains. His post read: “Purrlend appears to be exploited on both MegaETH and HyperEVM.”
The stolen assets on HyperEVM included nearly $450,000 in USDC and $214,000 in USDT0. The attacker also took close to $195,000 in USDH, along with wstHYPE, kHYPE, WHYPE, and UETH tokens. On MegaETH, the attacker withdrew $163,000 in USDT0, WETH, and USDm.
Purrlend confirmed the incident shortly after through an official post. The team stated: “We have detected irregular activity on the protocol and are actively investigating.” The protocol remains paused as the investigation continues.
April Emerges as One of the Worst Months for Crypto Theft in 2025
The Purrlend exploit adds to a growing list of attacks recorded in April. More than $600 million has been stolen from crypto protocols in just 18 days this month. That figure places April on pace to surpass even the most damaging months in recent DeFi history.
The bulk of April’s losses trace back to attacks on KelpDAO and Drift Protocol. Together, those two incidents account for an estimated $577 million in losses. Both attacks have drawn sharp attention to the state of security across DeFi platforms.
By comparison, the largest single breach this year remains the $1.4 billion Bybit hack from February 2025. April’s total, however, is approaching that threshold at a rapid pace. That trend has put protocol security practices under growing scrutiny.
For Purrlend, the road to recovery will depend heavily on the findings of its ongoing investigation. The protocol has not yet disclosed the specific attack vector used by the exploiter. Until then, users have been urged to proceed with caution across all connected platforms.
