Lending protocol Purrlend has been hit by a $1.5 million exploit, marking the worst month for DeFi security in the past. The incident occurred when PurRLend detected irregular activity across its deployments on both MegaETH and HyperEVM networks. The attacker drained roughly $1.,2 million from HyperEV, including 449,683 USDC and 214,125 USDT0, along with 194,745 USDH, and smaller amounts of UBTC (a tokenized version of Bitcoin), wstHYPE, UETH, and WHYPE. The breach triggered $13 billion in DeFi withdrawals within two days, with lending giant Aave losing $8.45 billion in deposits. Other incidents include Volo Protocol losing $3.5m from vaults holding Bitcoin and stablecoin deposits, GiddyDefi being exploited for $1,3m due to a flaw in how it verified transaction approvals, and CoW Swap losing $2.2 million due to domain hijacking attack. DeFi losses have now surpassed $750 million in 2026.