LayerZero links $292M Kelp DAO hack to North Korea’s Lazarus

LayerZero attributes a $292M rsETH theft from the Kelp DAO bridge on April 18 to North Korea’s Lazarus group, blaming poisoned DVN RPC nodes and Kelp’s single-node DVN.

LayerZero reported that 116,500 rsETH, worth about $292 million, was stolen from the Kelp DAO cross-chain bridge on April 18. The company attributed the exploit to state-linked North Korean cyber actors tied to the Lazarus group, identifying the cluster behind the operation as “TraderTraitor.”

LayerZero said the attacker obtained the list of RPC nodes used by its decentralized verified network (DVN), corrupted two of those endpoints so they returned forged messages, and launched a distributed denial-of-service attack against the remaining honest nodes so the DVN would rely on the poisoned endpoints. The company described that chain of events as sufficient to let a forged cross-chain message be accepted and tokens released.

LayerZero blamed Kelp DAO for using a single 1-of-1 DVN configuration. The company wrote, “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message,” and added that it and others had previously recommended diversifying DVN verifiers to Kelp DAO.

After unlocking the rsETH, the attacker moved the tokens into Aave V3 and used them as collateral to borrow large amounts of wrapped Ether (WETH). That activity produced bad debt on Aave. Aave founder Stani Kulechov wrote on X that “rsETH has been frozen on Aave V3 and V4” and that the asset no longer has borrowing power on either version as a precaution.

The exploit prompted many DeFi teams to pause LayerZero omnichain fungible token bridges, including Ethena, ether.fi, Tron DAO and Curve Finance. Sector metrics show total value locked across DeFi fell about 7% in the 24 hours after the attack, declining from roughly $99.5 billion to $86.3 billion. Historical on-chain data indicate more than $10 billion in outflows from Aave after the incident, with supplied value dropping from $45.8 billion to about $35.7 billion.

LayerZero said the LayerZero Labs DVN remains operational and asserted there is “zero contagion” to assets or applications that run on multi-DVN setups. The company added it will not sign messages for applications that continue to use a 1/1 DVN configuration and that it is cooperating with law enforcement to investigate and trace the stolen funds.

Min Jung, an associate researcher at Presto Research, described the exploit as reflecting “structural vulnerabilities in DeFi, especially in cross-chain infrastructure and the irony of how concentrated critical security layers are,” and noted the incident could accelerate changes in risk controls and architecture across protocols.

The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.

Articles by this author