LayerZero links $292M Kelp DAO exploit to DPRK-linked Lazarus Group

LayerZero Labs said a nearly $292 million crypto exploit that hit Kelp DAO on April 18 was likely carried out by the DPRK-linked Lazarus Group, in what would be one of the largest decentralized finance thefts of the year. The attribution is a preliminary private-sector assessment, not a government determination. In an incident statement published Saturday, LayerZero said attackers used a forged cross-chain message to drain 116,500 rsETH from Kelp DAO’s bridge on Ethereum. The key drain transaction executed at 17:35:35 UTC.

LayerZero said its Decentralized Verifier Network, or DVN, was targeted in what it called a “highly sophisticated attack.” According to the company, the attackers poisoned downstream RPC nodes — infrastructure that helps blockchain systems read network data — and then used a distributed denial-of-service attack to force failover onto those compromised nodes. That caused LayerZero’s verifier to observe forged data and accept a fake cross-chain instruction, known as an lzReceive message, which in turn triggered Kelp DAO’s Ethereum OFT adapter to release the tokens to an attacker-controlled address.

In its statement, LayerZero said: “On April 18, 2026, LayerZero Labs’ DVN became the target of a highly sophisticated attack, likely attributable to the Lazarus Group, more specifically TraderTraitor.” Lazarus and TraderTraitor are names used by cybersecurity firms and investigators for North Korean hacking operations linked to major crypto thefts. LayerZero said the incident was not caused by a bug in its core protocol, but by an operational attack on infrastructure used by its verifier network. It also said the damage was limited to Kelp DAO’s setup because Kelp had configured this route as a 1-of-1 DVN, with LayerZero Labs serving as the only verifier.

That configuration matters because LayerZero is a cross-chain messaging protocol whose applications choose their own verifier sets and approval thresholds. A 1-of-1 arrangement creates a single point of failure: if the lone verifier is tricked, a forged message can be accepted. LayerZero said the issue was isolated to Kelp’s single-DVN setup rather than a broader protocol-wide smart-contract flaw.

Kelp DAO moved to contain the breach by pausing rsETH contracts across Ethereum mainnet and several layer-2 networks. Aave, the large decentralized lending protocol, froze affected rsETH markets, and other DeFi projects suspended some LayerZero OFT bridges as a precaution. A forensic reconstruction cited in the research said Kelp’s emergency pause came about 46 minutes after the first drain and that two later attempts of roughly 40,000 rsETH each were blocked because the adapter had already been paused.

LayerZero said it has since deprecated or replaced the affected RPC nodes and restored its verifier network. It also said it is reaching out to applications that still use 1-of-1 verifier configurations. In a notable policy change, the company said, “The LayerZero Labs DVN will not sign or attest messages from any applications that utilize a 1/1 configuration.”

The stolen amount was widely valued between roughly $290 million and $294 million at the time, depending on the price feed used, with many estimates clustering around $292 million. Still, the most concrete figure is the onchain amount: 116,500 rsETH.

The episode underscores how cross-chain systems can fail not only through coding errors but also through weaknesses in the offchain infrastructure they rely on. LayerZero says it is working with law enforcement and crypto security group Seal911 to trace the funds. For now, its claim that Lazarus or TraderTraitor was likely responsible remains a provisional attribution from a private company, but it raises the compliance and enforcement stakes around one of the market’s biggest recent exploits.