Security exploits are weighing on institutional appetite for decentralized finance (DeFi), even as broader crypto adoption continues through stablecoins and tokenized assets.

In an April research note, JPMorgan analysts said that bridge security remains a challenge for the industry, raising questions on whether DeFi can grow to support further institutional adoption. 

The recent exploit on the Versus-Ethereum bridge was the eighth major attack against DeFi bridges in 2026 so far, with cumulative losses totalling $328.6 million.

DeFi bridges remain prime targets for hackers seeking to steal millions of dollars. Source: PeckShield

Misha Putiatin, CEO of smart contract security firm Statemind and co-founder of DeFi protocol Symbiotic, said he regularly fields calls from major traditional institutions exploring DeFi exposure, often with bad timing. 

“Five minutes before I have a call with a big traditional institution, another big hack,” he told Cointelegraph. 

“They sit there looking at me like, ‘Is this normal? Is this every day for you?”

Still, institutions may get into DeFi, but the terms on which they arrive could reshape it into something that looks a lot more like traditional finance than the open, permissionless system its builders envisioned. 

DeFi has become too complex for DYOR

At the beginning of April, North Korea’s Lazarus Group was implicated in the $285 million Drift Protocol exploit, carried out through a months-long social engineering campaign in which infiltrators approached Drift contributors at an in-person crypto conference.

The same actors were blamed for the KelpDAO breach a few weeks later, which drained about $290 million from the protocol’s cross-chain bridge. 

Total value locked across DeFi fell to around $86 billion from just under $100 billion in two days following the KelpDAO hack in April. The outflows came from pools with no direct exposure to compromised assets, said JPMorgan analysts.

DeFi pools lost around $14 billion following the attack on KelpDAO. Source: DefiLlama

Related: Wall Street’s tokenization boom has a liquidity problem: Axis CEO

Putiatin said the complexity of modern DeFi makes it nearly impossible for ordinary users to know where their risk actually sits. “Do your own research doesn’t work anymore,” he said. “It hasn’t been working for a really long time.”

He explained that the system has become too interconnected and complex to trace. 

For example, when a user deposits Ether (ETH) to earn yield while never touching any other token, they can still get hit by a breach on a bridge connected to a token they’ve never even heard of. 

Do your own research, or DYOR, is an industry mantra born in the early days of Bitcoin, when protocols were simple enough that a user could read a whitepaper and make an informed decision. 

Today, with smart contracts running up to tens of thousands of lines of code, protocols layered on top of one another, and new services and tokens launching at breakneck speed, that expectation has become almost impossible to meet.

“I’m not ever expecting people that just want to invest their money to ever figure out every part of the stack themselves,” Putiatin said.

“I’m not going to spend the next two years of my life trying to figure out how to get a 6% yield,” he added, claiming that traditional finance alternatives are close enough in return that the DeFi’s security risk rarely makes sense for most investors.

A shrinking premium for an unquantifiable risk

Tether (USDT), the world’s largest stablecoin, offers a supply APY of 2.74% on Aave’s Ethereum market, the biggest DeFi lending protocol. That’s below the 3.57% available on a three-month US Treasury bill. Circle’s USDC (USDC) fares better at 4.14%.

Supply and borrow APY on Aave’s Ethereum market. Source: Aave

Related: Why stablecoins and SWIFT may have to coexist

Putiatin said institutions see this clearly, even if they struggle to quantify it precisely. The problem is that institutions have no reliable framework for pricing the hack risk sitting underneath them. 

“They can’t price risk properly,” he said. “So they discount the yield we provide by a lot.”

DeFi yields have compressed as the market has matured, eroding the premium that once justified the risk. 

At the same time, the hacks have not slowed down. For investors used to underwriting risk with actuarial precision, shrinking upside and unquantifiable downside is a hard sell.

The cost of DeFi’s seat at the table

Putiatin’s benchmark for when DeFi has genuinely turned a corner is an onchain insurance system capable of underwriting hack risk across the entire ecosystem and pricing it with the kind of actuarial precision that institutions require.

“When we have circuit breakers, curators that can do due diligence, and a framework for that — we will get the fourth one that we desperately need as an industry,” he said. “We will get insurance.”

DeFi has lost over $7.76 billion to exploits, according to DeFiLlama data tracing back to 2016. Though DeFi insurance providers exist, their capacity remains too small to backstop anything approaching institutional scale.

Without that infrastructure, institutions that do come in will do so on their own terms, demanding full know-your-customer checks, custodial controls and tokens that can be frozen at any time.

The open, permissionless architecture that made DeFi worth building gets stripped to satisfy compliance requirements.

“All of the benefits that we have as an industry, they kind of go away,” he said. “Blockchain becomes just a database.”

It is an outcome Putiatin finds more troubling than the hacks themselves. The hacks, at least, are a problem the industry can work on. A version of DeFi that institutions have hollowed out to make it safe enough for their mandates is a surrender of everything the technology was supposed to change.

Magazine: 5 tech predictions the mainstream media got horribly wrong

Boerse Stuttgart Group’s tokenized securities settlement platform Seturion has partnered with Societe Generale, its crypto subsidiary SG-Forge and online broker flatexDEGIRO to build out a blockchain-based securities settlement system across Europe.

Under the plan, Societe Generale will issue tokenized structured securities, such as turbo warrants and investment certificates, on Seturion, according to a Thursday announcement. SG-Forge, which holds a Markets in Crypto-Assets authorization from French regulators, will settle transactions using its CoinVertible euro and dollar stablecoins, EURCV and USDCV.

FlatexDEGIRO, which says it serves serve 3.5 million customers across 16 countries, will also connect its retail investor flow to the platform.

Source: Societe Generale Forge

Seturion has submitted a license application to Germany’s financial regulator BaFin under the European Union’s DLT Pilot Regime, though approval is still pending, a Boerse Stuttgart representative told Cointelegraph.

Related: Europe Bitcoin Treasury Model Won’t Mirror Strategy: PBW 2026

Nasdaq’s European venues to join Seturion

Nasdaq’s European trading venues will also connect to Seturion to facilitate trading of tokenized securities settled through the platform. The two platforms previously announced a partnership in March, revealing plans to build out a broader ecosystem of issuers, brokers and financial institutions across Europe to cut settlement costs and reduce the fragmentation.

“With Seturion, we are building the European settlement platform for the unified European capital market,” said Matthias Voelkel, CEO of Boerse Stuttgart Group. “As an open industry solution, Seturion contributes to overcoming Europe’s fragmented settlement landscape,” he added.

Boerse Stuttgart launched Seturion in September 2025 to replace Europe’s fragmented national settlement systems with a single open infrastructure. The platform supports public and private blockchains, settles in both central bank money and onchain cash, and is already live at BX Digital, Switzerland’s FINMA-regulated DLT trading facility.

Related: Augustus CEO says banks can’t rebuild for AI and stablecoins

European bank consortium Qivalis expands to 37 members

The Seturion deal comes as European financial institutions race to build regulated blockchain infrastructure. Qivalis, a European banking consortium building a MiCA-compliant euro stablecoin, has grown to 37 member institutions after adding 25 banks across 15 countries, including ABN AMRO, Rabobank, Nordea and Intesa Sanpaolo.

The Amsterdam-based group, which is pushing to build regulated alternatives to US dollar-dominated stablecoins, is targeting a second-half 2026 launch.

Magazine: eToro founder timed Bitcoin top perfectly due to belief in 4 year cycles

AI-powered crypto trading assistant Bankr said it disabled transactions after identifying an attacker who gained access to at least 14 wallets, with users reporting that as much as $150,000 in crypto was drained from some. 

In an X post on Tuesday, Bankr said it was investigating reports that several wallets had been compromised and that transaction activity, including swaps, transfers and deployments, had been disabled “out of caution” while the investigation continues.

“We’ve identified an attacker was able to access 14 Bankr wallets. We’ve temporarily locked things down while we work through the details. We will be reimbursing any and all lost funds. Will provide more updates as we have them,” it added.

Bankr allows users to prompt AI to trade, transfer and launch tokens using plain language rather than a standard wallet interface. It also automatically creates a crypto wallet for every X handle that interacts with its bot. Earlier this year, someone reportedly exploited this feature and tricked Grok into requesting that Bankr launch a token, then drained funds from the token into a wallet they controlled.

Source: Bankr

Crypto hackers have been active in recent months. Bad actors stole more than $168.6 million in crypto in the first quarter. April saw the two largest hacks of the year so far: the $280 million Drift Protocol exploit at the start of the month and the $292 million Kelp exploit. More recently, Verus Protocol’s Ethereum bridge was exploited Monday.

Social engineering attack targeting bot could be to blame

SlowMist founder Yu Xian said the exploit, from Bankrbots’ own reply, was likely a social engineering scheme targeting the AI agent, adding that three identified attacker addresses collectively hold $440,000 in crypto.

“It was a social engineering exploit targeting the trust layer between automated agents—specifically an interaction between grok and Bankrbot that allowed unauthorized transaction signing,” Xian said.

Source: Yu Xian

“It seems like a combo of social engineering exploits targeting Grok + Bankrbot. Previously, the wallet-related assets allocated by Bankrbot to Grok were also stolen through a similar combo, prompt injection exploitation,” he added.

Don’t sign transactions until further notice: Bankr

Bankr has recommended that users avoid signing transactions until further notice and warned one individual that their seed phrase “is likely in the hands of an attacker.”

Bankr also said anyone with a compromised wallet should stop using it, create a new wallet, generate a new seed phrase on a clean device, move any remaining tokens or nonfungible tokens to the new address and revoke approvals if remaining assets can’t be moved.

Related: Aethir halts bridge exploit, promises compensation after $90K loss 

“Attackers often use existing approvals to drain funds. Check your devices, scan your computer and phone for malware or suspicious browser extensions. If you used a software wallet, the leak likely came from your device,” Bankr added.

Losses could reportedly be up to $150,000 per wallet

Some X users reported as much as $150,000 in crypto had been drained from affected wallets.

Tech entrepreneur Austen Allred said a Bankr wallet connected to his Kelly Claude AI assistant project was among those compromised. The hacker stole Ether (ETH), but none of the project’s memecoin stash was touched. 

Source: Austen Allred

“There’s no evidence anyone other than myself ever logged into the Bankr account; they must have accessed the keys some other way,” Allred added.

Magazine: The legal battle over who can claim DeFi’s stolen millions