LayerZero Says Lazarus Group Likely Behind Kelp DAO Exploit
LayerZero has attributed the Kelp DAO exploit to North Korea’s Lazarus Group, figuring out a single-point-of-failure within the protocol’s verifier setup because the technical root trigger that made the assault potential.
The breach drained an estimated $292 million from Kelp DAO’s rsETH pool on April 18, marking the biggest DeFi hack of 2026 up to now – and despatched complete worth locked throughout the DeFi sector down 7% in 24 hours to $85 billion, in response to DefiLlama.
The attribution lands not as a closed discovering however as a probabilistic declare: LayerZero says Lazarus is the seemingly perpetrator, not a confirmed one. What that distinction means for the protocol, its customers, and the cross-chain safety mannequin is the query this story solutions.
- Attribution supply: LayerZero carried out the post-incident investigation and named North Korea’s Lazarus Group – particularly the TraderTraitor subgroup – because the seemingly perpetrator.
- Technical root trigger: Kelp DAO operated a 1-of-1 DVN (single decentralized verifier node) setup, ignoring LayerZero’s repeated suggestions for multi-verifier redundancy.
- Exploit quantity: Approximately $292 million drained from Kelp DAO’s rsETH pool; no LayerZero protocol code or non-public keys have been compromised.
- Market influence: DeFi TVL fell 7% in 24 hours to $86 billion following the incident.
- Response: LayerZero decommissioned affected RPC nodes and restored full DVN operations; legislation enforcement collaboration is ongoing for fund tracing.
- Watch: Whether Kelp DAO publicizes a compensation mechanism and whether or not extra cross-chain protocols working single-DVN configurations transfer to remediate earlier than the following assault.
Discover: The best pre-launch token sales
LayerZero’s Kelp DAO Lazarus Findings: What a Single-Point Failure Actually Means in Cross-Chain Architecture
The exploit’s mechanism was multi-step and exact. Attackers poisoned the RPC infrastructure feeding LayerZero’s decentralized verifier community, then launched a DDoS assault designed to power failover to compromised backup nodes.
With the verifier community redirected, the system validated fictitious cross-chain transactions, and $292 million in rsETH exited Kelp DAO’s pool earlier than the fraud was detected.
The important enabler: Kelp DAO ran a 1-of-1 DVN configuration, which means a single verifier node stood between the protocol and catastrophic failure. LayerZero had flagged this structure as insufficient – a number of occasions, in response to the investigation – and advisable a multi-DVN setup per business finest practices for redundancy. Kelp DAO didn’t act on these suggestions.
A multi-DVN setup would have required attackers to compromise a number of unbiased verification nodes concurrently, a considerably tougher technical elevate. The 1-of-1 setup collapsed that barrier totally. As Ripple CTO David Schwartz put it on X: “The assault was far more subtle than I anticipated and aimed toward LayerZero infrastructure making the most of KelpDAO laziness.”
LayerZero’s response was surgical: the group decommissioned all affected RPC nodes post-incident and absolutely restored DVN operations with out broader contagion to different protocols utilizing the identical infrastructure. No LayerZero protocol code was compromised. No non-public keys have been uncovered. The failure was architectural, not foundational – a distinction that issues enormously for the protocol’s credibility however does nothing to get well the $292 million.
Why North Korea Attribution Changes the Threat Model for All of DeFi
LayerZero’s Lazarus Kelp DAO attribution, framed as seemingly, not confirmed, is per a longtime and accelerating sample.
The TraderTraitor subgroup, a identified Lazarus operational unit, was preliminarily recognized within the forensic evaluation. LayerZero is actively collaborating with world legislation enforcement on fund tracing, suggesting the attribution carries sufficient evidentiary weight to contain state-level investigative sources.
Lazarus has been tied to a number of the largest crypto thefts on report, together with the $625 million Ronin Network hack in 2022 and a string of DeFi protocol exploits which have collectively funneled billions into DPRK’s weapons applications, in response to U.S. Treasury and UN assessments.
North Korea’s crypto operations extend well beyond direct exploits – the regime has additionally embedded operatives inside Web3 corporations below fabricated identities, a parallel monitor that widens the assault floor past infrastructure alone.
Cross-chain protocols are structurally engaging targets for this class of actor. They sit at high-value junctions between a number of chains, usually carrying pooled liquidity that dwarfs any single software’s stability, and their safety will depend on verifier networks that may change into single factors of failure when misconfigured. RPC poisoning as a tactic towards verifier networks represents a novel escalation – one which safety researchers say is now documented and replicable.
Discover: The best crypto to diversify your portfolio with
The put up LayerZero Says Lazarus Group Likely Behind Kelp DAO Exploit appeared first on Cryptonews.
