Coin Bureau host Lewis has used his latest deep-dive to lay out what he calls the most serious structural shift in crypto security since the asset class came into being — a moment when AI has become brutally efficient at finding bugs in smart contracts, and offensive economics have decoupled completely from defensive economics.
The headline numbers are blunt. According to Lewis, 2026 is already the worst year for crypto security on record, even though the calendar has barely cleared four months. Some $450 million was drained from DeFi protocols across 145 separate incidents in the first quarter alone, and a further $66 million has been lost in the first 18 days of April. Total value locked across DeFi has collapsed from $110 billion in January to roughly $82 billion at the time of recording.
"2026 has officially become the worst year for crypto security on record. And we aren't even halfway through it," Lewis said.
The two largest April incidents bracket the problem. On 1 April, Drift Protocol on Solana was drained for approximately $285 million in an attack attributed by both Elliptic and TRM Labs to North Korea's Lazarus Group, following a six-month social-engineering campaign. On 18 April, the KelpDAO bridge was compromised for an additional $293 million, again attributed to Lazarus, this time by exploiting a single-signature validator configuration on a LayerZero adapter. Combined, that is $577 million extracted by a single nation-state actor inside a single month.
What changes the calculus, in Lewis' framing, is the parallel emergence of frontier AI models specifically tuned for offensive security work. Anthropic on 7 April publicly announced a model it is calling Claude Mythos, released under a restricted-access defensive program known as Project Glass Wing.
"It is a frontier system specifically designed for autonomous cyber security research, autonomous coding, and complex multi-step reasoning," Lewis said.
The disclosed discoveries are unusually large in scope: a 27-year-old denial-of-service vulnerability inside the OpenBSD TCP-SACK implementation; a 17-year-old remote-code-execution flaw in the FreeBSD NFS subsystem; a 16-year-old vulnerability in FFmpeg, the multimedia framework that underpins a meaningful share of the modern internet's video infrastructure. Anthropic's own claims, according to Lewis, are that the model has identified thousands of additional high-severity zero-days, with roughly 99% of them still unpatched as of mid-April.
The smart-contract benchmark is where the story collides with crypto directly. Anthropic researchers, working with the MATS Fellowship, built what is being called Scone Bench — a 405-contract suite of historical exploits across Ethereum, BNB Smart Chain and Base. Frontier AI models produced fully working exploits for 207 of them, a 51.1% success rate, with simulated stolen funds exceeding $550 million across that single benchmark.
The economic step-change, Lewis argued, is in the cost of running an exhaustive AI-powered audit. According to Anthropic's own published cost data, scanning a single smart contract is now around $1.22, against $50,000 to $500,000 for a tier-one human-led audit, with inference costs falling roughly 23% every two months.
"The entire deployed surface area of every smart contract in DeFi history can now be scanned for less than the price of a single tier-one audit. The defensive side cannot scale fast enough to keep up," Lewis said.
The institutional response has now moved to the highest level of US economic policy. Between 8 and 10 April, Treasury Secretary Scott Bessant and Federal Reserve Chair Jerome Powell convened an emergency closed-door meeting in Washington with the chief executives of America's largest banks — Bank of America, Citigroup, Goldman Sachs, Morgan Stanley and Wells Fargo — focused on the systemic risk posed by Mythos-class AI capabilities to legacy payment infrastructure.
Bank of England Governor Andrew Bailey has publicly warned that this generation of AI has the unique capability to, in his words, crack the whole cyber risk world open by stringing together multi-step attacks that legacy patching cannot mitigate. JP Morgan chief executive Jamie Dimon has separately said AI will almost surely make cyber-security risk worse in the near term, even as the bank allocates $19.8 billion to its 2026 technology budget.