Purrlend Exploit: $1.5 Million Lost in Dual-Network Attack

Severity: High (Score: 64.5)

Sources: Bitget, Mexc

Summary

On April 25, 2026, the decentralized lending protocol Purrlend experienced a coordinated exploit affecting both HyperEVM and MegaETH networks, resulting in losses estimated at $1.5 million. The attack was first reported by Kirby Ong, founder of HypurrCollective, who noted suspicious activity in the protocol's contracts. Approximately $1.2 million was drained from HyperEVM, while MegaETH suffered losses of around $325,000. The stolen assets included significant amounts of USDC, USDT0, USDH, and various ecosystem tokens. Following the incident, Purrlend has paused all operations to investigate the breach. This incident is part of a troubling trend in April 2026, where over $600 million has been stolen from various DeFi protocols, raising concerns about security standards in the sector. The specific attack vector used in this exploit has not yet been disclosed, and users are advised to exercise caution across all connected platforms. Key Points: • Purrlend lost $1.5 million in a dual-network exploit on April 25, 2026. • The attack targeted both HyperEVM and MegaETH, draining $1.2 million and $325,000 respectively. • Purrlend has paused operations while investigating the breach, amid a surge of DeFi attacks in April.

Key Entities

• Data Breach (attack_type)
• Purrlend Exploit (campaign)
• Bybit (company)
• Drift Protocol (company)
• HyperEVM (company)
• HypurrCollective (company)
• KelpDAO (company)