Kelp DAO loses $292M in suspected Lazarus Group crypto heist

A flaw in Kelp's security setup handed hackers $292M in minutes. Now, the hunt for stolen funds exposes DeFi's darkest vulnerability: state-sponsored cybercrime.

, and Administrator

2026 April 20 . 2:11 PM

2 min read

The image shows a tunnel with graffiti on the side of it, illuminated by a light at the top of the... — The image shows a tunnel with graffiti on the side of it, illuminated by a light at the top of the bridge. On the right side of the image, there is a gate and a board with some text on it. In the background, there are trees and a clear blue sky.

Kelp DAO loses $292M in suspected Lazarus Group crypto heist

Kelp DAO, a liquid restaking protocol that routes user ETH through EigenLayer to generate additional yield, lost 116,500 rsETH worth approximately $292 million to an attacker on April 18 in the largest DeFi exploit of 2026. LayerZero, whose cross-chain messaging infrastructure underpinned Kelp's bridge, published a post-mortem on April 20 attributing the attack with "preliminary confidence" to North Korea's Lazarus Group, specifically its TraderTraitor subunit.

Attackers pre-funded six wallets through Tornado Cash roughly 10 hours before the drain. They then compromised two of the RPC nodes that LayerZero's verifier relied on to confirm cross-chain transactions, replacing the nodes' software with malicious versions that reported false transaction data to the verifier while continuing to feed accurate data to every other observer - keeping the attack invisible to LayerZero's own monitoring systems. A simultaneous DDoS attack forced a failover that brought the compromised nodes into the verification path. With the verifier deceived, Kelp's bridge released 116,500 rsETH to an attacker-controlled address at 17:35 UTC.

The attack succeeded because Kelp operated a 1-of-1 verifier configuration - meaning LayerZero Labs was the only entity verifying messages to and from the rsETH bridge, LayerZero Labs said. LayerZero said its integration documentation and direct communications to Kelp had recommended a multi-verifier setup, under which compromising a single node would not have been enough to forge a valid message.

Kelp's emergency multisig paused core contracts 46 minutes after the drain. Two follow-up attempts at 18:26 and 18:28 UTC, each carrying the same LayerZero packet and targeting another 40,000 rsETH worth roughly $100 million, were blocked. The attacker consolidated approximately 74,000 ETH post-exploit. LayerZero said it is working with multiple law enforcement agencies, is actively tracking the stolen funds, and will no longer sign messages for any project running a single-verifier configuration.

The Kelp attack brings total DeFi losses linked to North Korean state actors this month to over $575 million. It follows the Drift Protocol exploit on April 1, which was also linked to North Korean state actors. Drift lost approximately $285 million in an attack involving social engineering of governance signers.