April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols

April 2026 delivered a concentrated wave of high-impact incidents across healthcare, financial services, consumer platforms, and the decentralized finance ecosystem.

ShinyHunters dominated the month’s breach headlines with a mass extortion campaign that swept up a global medical device manufacturer, a major home security provider, and an educational publisher within weeks of each other. North Korean state-sponsored actors ran parallel operations, draining hundreds of millions from DeFi protocols through multi-month social engineering campaigns and extending their supply chain tradecraft into a new npm compromise.

The downstream consequences of March’s Trivy and TeamPCP attacks continued to surface as well, with Checkmarx confirming that stolen GitHub data had been publicly leaked. Credential theft, cloud platform misconfigurations, and slow detection windows were the defining failure points across the month.

ShinyHunters Claimed Breach of Medtronic, Threatened to Leak Over 9 Million Records

Medical device giant Medtronic confirmed in late April 2026 that an unauthorized party had accessed data within certain corporate IT systems, following a listing by ShinyHunters on their Tor-based leak site. The group claimed to have exfiltrated more than 9 million records containing personally identifiable information, along with terabytes of additional internal corporate data, and gave Medtronic until April 21 to engage in ransom negotiations before threatening a public release.

Medtronic stated the breach did not affect its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems, emphasizing that corporate IT networks are segmented from those supporting its medical devices. The specific types of personal information potentially involved had not been confirmed at the time of disclosure, and the investigation remained ongoing.

The company filed an SEC disclosure on April 24 stating the incident is not expected to have a material financial impact. A proposed class action lawsuit was subsequently filed, alleging the breach resulted from inadequate cybersecurity practices.

ShinyHunters Stole Personal Data of 5.5 Million ADT Customers

ADT disclosed a data breach in an SEC filing on April 20, 2026, reporting unauthorized access to certain cloud-based environments. According to ShinyHunters, the intrusion began with a vishing call that convinced an ADT employee to hand over their Okta SSO credentials, after which the group pivoted into the company’s Salesforce environment and extracted customer records. ShinyHunters added ADT to its leak site on April 24, claimed a haul of over 10 million records, and set April 27 as a final deadline before threatening to release the data.

ADT’s investigation confirmed the scope of exposed data was restricted to contact details such as names, phone numbers, and physical addresses, with a secondary subset of records also including dates of birth and the last four digits of Social Security numbers (SSNs) or Tax IDs. Have I Been Pwned logged 5.5 million unique email addresses in the leaked dataset. No payment data was accessed and customer security systems were not affected.

ShinyHunters Exploited Salesforce Misconfiguration to Breach McGraw Hill, Leak 13.5 Million Accounts

Educational publisher McGraw Hill confirmed a data breach in April 2026 after ShinyHunters listed the company on its leak site, claiming to have stolen 45 million Salesforce records and setting a ransom deadline of April 14. McGraw Hill attributed the incident to a misconfiguration in a Salesforce-hosted environment, describing it as part of a broader Salesforce misconfiguration affecting multiple organizations. Salesforce publicly denied any compromise of its own platform, stating the event was not related to any known vulnerability in its technology.

After the extortion attempt went unanswered, ShinyHunters released the full dataset. Have I Been Pwned identified 13.5 million unique email addresses across the leaked files, with additional personal fields such as names, physical addresses, and phone numbers present in portions of the records but not uniformly across all of them. Over 100GB of data was made publicly available. McGraw Hill stated the incident did not involve unauthorized access to its Salesforce accounts, courseware, customer databases, or internal systems, and said it would work with Salesforce to address the misconfiguration.

Medtronic, ADT, and McGraw Hill are three confirmed victims in a much wider ShinyHunters campaign throughout April that swept up dozens of organizations. Tracking the full blast radius of a threat actor running simultaneous operations at this scale requires continuous visibility into their infrastructure, tactics, and target lists. SOCRadar’s Cyber Threat Intelligence module maintains up-to-date profiles on active groups like ShinyHunters, covering their known access methods, historical campaigns, and evolving targeting patterns, so your team has the context to act before a listing on a leak site becomes a headline.

Drift Protocol Lost $280 Million After North Korean Hackers Gained Admin Control

Solana-based DeFi platform Drift Protocol suffered a $280 million theft in April 2026, after a threat actor seized administrative control of its Security Council, the multisignature governance mechanism responsible for authorizing critical protocol changes. Researchers linked the attack to North Korean actors, and Drift’s post-mortem described it as a highly sophisticated operation approximately six months in the making, with on-chain staging beginning on March 11 and the final exploit setup initiated on March 23.

The attack exploited Solana’s durable nonce feature, which allows transactions to be pre-signed and executed later without expiration. The threat actors spent several months posing as a legitimate trading firm, completing standard onboarding, depositing over $1 million of their own capital, and participating in working sessions with Drift contributors. Through this social engineering campaign, they obtained misrepresented multisig approvals in advance, then used the pre-signed authorizations to seize Security Council powers and drain the protocol in minutes on April 1.

The incident affected funds in the platform’s borrow and lend features, vault deposits, and trading balances. Drift suspended deposits and withdrawals immediately after the exploit was executed.

Lazarus Group Drained $290 Million From KelpDAO by Compromising LayerZero Verification Servers

On April 18, 2026, KelpDAO, a DeFi protocol built around liquid restaking on Ethereum, detected suspicious cross-chain activity involving its rsETH token and paused relevant contracts across mainnet and Layer 2 networks. LayerZero confirmed the theft of approximately $290 million and attributed it with preliminary confidence to Lazarus Group, specifically the TraderTraitor cluster. The attack marked the largest single crypto exploit of 2026 to date, surpassing the Drift breach earlier in the month.

The attackers took control of LayerZero’s verifier network by poisoning two RPC nodes and knocking out the rest via DDoS, then used that foothold to issue a fraudulent instruction that drained roughly $292 million in rsETH. A secondary attempt targeting an additional 40,000 rsETH was blocked after Kelp blacklisted the attacker’s wallet. Stolen funds were routed through Tornado Cash to obscure the trail. LayerZero noted that KelpDAO had chosen a 1/1 DVN configuration despite prior recommendations to diversify. The attack also rippled into lending protocols Compound, Euler, and Aave, with the latter temporarily freezing new rsETH deposits and borrowing.

North Korean Hackers Used Fake Microsoft Teams Call to Compromise Axios npm Package

On March 31, 2026, two malicious versions of the widely used Axios HTTP client library (1.14.1 and 0.30.4) were published to the npm registry after a maintainer’s account was compromised through a social engineering campaign attributed to North Korean threat actors tracked as UNC1069.

The packages injected a dependency named plain-crypto-js that installed a cross-platform remote access trojan on macOS, Windows, and Linux systems. The malicious versions remained available for approximately three hours before being removed.

The attack began with threat actors building an elaborate fake company identity, complete with a Slack workspace, LinkedIn profiles, and fabricated personas, to gain the trust of the lead Axios maintainer. During a staged Teams call, a fake technical error prompted the maintainer to install what appeared to be a Teams update, which was in fact RAT malware that gave the attackers remote access to extract npm publishing credentials. Other maintainers reported similar attempts. Google’s Threat Intelligence Group attributed the operation to UNC1069 using WAVESHAPER.V2 tooling. Axios maintainers wiped affected systems, reset all credentials, and announced plans to implement additional safeguards.

For further information regarding this incident, visit SOCRadar’s blog post “Axios npm Hijack 2026: Everything You Need to Know – IOCs, Impact & Remediation.”

Checkmarx Confirmed LAPSUS$ Leaked 96GB of GitHub Data Tied to March Supply Chain Attack

In late April 2026, Checkmarx confirmed that LAPSUS$ had released data taken from its private GitHub repository, with a roughly 95GB package distributed across both Dark Web and clearnet.

The compromise traces to the TeamPCP supply chain attack in March, which poisoned the Trivy vulnerability scanner and gave attackers credential access to downstream organizations. Those credentials were used to enter Checkmarx’s GitHub environment, where malicious code was pushed to several artifacts including Docker images and VS Code extensions for the KICS security scanner, and data was exfiltrated on March 30.

Despite initial containment, including credential rotation and blocking attacker infrastructure, the threat actors either retained or regained access and published an additional round of malicious code by April 22. Checkmarx confirmed the LAPSUS$ archive originated from the March 23 compromise and stated that customer data is not stored in the affected repository. LAPSUS$ claimed the stolen materials included source code, employee databases, API keys, and database credentials.

Basic-Fit Data Breach Exposed Financial and Personal Data of 1 Million Gym Members

Basic-Fit disclosed on April 13, 2026, that an unauthorized party had accessed one of its internal systems, specifically the platform used to log member check-ins at its clubs, and copied data belonging to approximately 1 million active members. Basic-Fit’s own monitoring tools detected and terminated the access within minutes, though the investigation later confirmed that a portion of the data had already left the environment before the session was closed. At least 200,000 of those affected are based in the Netherlands. Franchise clubs in six additional countries run on a separate system and were not involved.

Stolen data included full names, physical addresses, email addresses, phone numbers, dates of birth, and bank account details. Passwords and identity documents were not accessed. Basic-Fit notified the relevant data protection authorities and informed affected members directly. Additional reporting suggested the access occurred on April 8 and that the compromised system may have also contained behavioral data such as recent visit records and mobile device descriptors, which could make follow-on social engineering attempts more convincing.

Grinex Exchange Halted Operations After $13.7 Million Theft

Cryptocurrency exchange Grinex suffered a $13.7 million theft on April 15, 2026, and subsequently suspended all operations. In a statement posted to its Telegram channel, Grinex pointed the finger at intelligence services from what it called hostile states, framing the incident as a deliberate move against Russia’s financial infrastructure – with no supporting technical evidence.

Grinex is widely reported to be a rebrand of Garantex, a Russian exchange whose administrator was arrested and whose domains were seized in 2025 over allegations of processing over $100 million in illicit transactions. The U.S. Treasury sanctioned Grinex in August 2025 as a continuation of Garantex’s operations. Stolen funds were routed through TRON and Ethereum addresses and converted to TRX and ETH via the SunSwap protocol.

TRM Labs identified roughly 70 attacker addresses and noted that TokenSpot, an exchange with reported links to Grinex, was simultaneously compromised. Grinex filed a criminal complaint with local authorities before shutting down.

Bitcoin Depot Disclosed $3.6 Million Bitcoin Theft After Credential-Based Intrusion

Bitcoin Depot disclosed in an SEC filing on April 6, 2026, that an unauthorized party accessed its IT systems on March 23 and transferred approximately 50.903 Bitcoin, valued at roughly $3.665 million, out of company-controlled wallets using stolen credentials for its digital asset settlement accounts. The company detected the breach on March 23, activated incident response protocols, engaged external cybersecurity experts, and notified law enforcement.

Bitcoin Depot stated the incident was contained to its corporate environment and did not affect customer platforms, systems, or data. No specific threat group was named in the disclosure. Blockchain researcher ZachXBT identified suspicious outflows beginning as early as March 20, suggesting the funds may have been moved three days before the company detected the breach and that the total transferred could be closer to 54 Bitcoin.

Monitor Your Exposure With SOCRadar’s Dark Web Monitoring

Data stolen in breaches rarely disappears after the initial disclosure. Credentials, financial records, and personal data continue circulating across underground forums, paste sites, and private leak channels long after the headlines fade, and organizations are often the last to find out.

SOCRadar’s Dark Web Monitoring keeps watch across these sources around the clock, covering:

• Leaked credentials and compromised accounts
• Stolen corporate and customer data
• Threat actor mentions of your organization
• Exposed source code and internal documents

Moreover, the Cyber Threat Intelligence module provides continuously updated profiles on the groups behind this month’s attacks, from ShinyHunters and LAPSUS$ to Lazarus and UNC1069, covering their TTPs, infrastructure, and sector targeting. Supply Chain Intelligence tracks exposure risks across your third-party ecosystem before a vendor breach becomes your incident. So your team gets an early warning instead of a late surprise.