Purrlend, a decentralized lending and borrowing protocol built on HyperEVM, has been hit by a suspected exploit on MegaETH and HyperEVM with losses estimated at $1.5 million. The incident was first flagged by Kirby Ong, founder of HypurrCollective.
Purrlend appears to be exploited on both MegaETH and HyperEVM.
Attacker made off with:
449,683.8748 $USDC
214,125.3752 $USDT0
194,745.1368 $USDH
2.0477 $UBTC
1,581.3418 $wstHYPE
19.6052 $UETH
868.4795 $kHYPE
757.0228 $WHYPE
Total: $1,197,488.33 on HyperEVM+
163,169.1587… pic.twitter.com/SgP4CsK4Ln
— kirbycrypto (@kirbyongeo) April 25, 2026
Funds were drained across the two networks, including approximately $1.2 million from HyperEVM and nearly $325,000 from MegaETH. Purrlend confirmed it had detected irregular activity on the protocol and has since paused operations while the team investigates.
We have detected irregular activity on the protocol and are actively investigating. The protocol has been paused for the time being. Please proceed with extra caution in the meantime. Further updates will be posted from this account.
— Purrlend (@purrlend) April 25, 2026
The attacker made off with nearly $450,000 in USDC, $214,000 in USDT0, and close to $195,000 in USDH, alongside smaller amounts of wrapped Bitcoin and various ecosystem tokens including wstHYPE, kHYPE, WHYPE, and UETH.
April is on pace to be the worst month for theft since the $1.4 billion Bybit breach in February 2025. Crypto losses have surged this month, with more than $600 million stolen from protocols in just 18 days.
Much of the damage traces back to attacks on KelpDAO and Drift Protocol, which together account for an estimated $577 million in losses, putting DeFi security under intense scrutiny.
