Kelp DAO Hack: $292 Million Stolen by North Korean Hackers

Severity: High (Score: 74.7)

Sources: www.halborn.com, Scworld

Summary

In April 2026, Kelp DAO, a liquid restaking protocol, suffered a massive hack attributed to North Korea's Lazarus Group, specifically its TraderTraitor operation. The attackers exploited a 1-of-1 verifier configuration in Kelp's transaction verification system, allowing them to trick a single verifier into approving a fraudulent transaction. They compromised two remote procedure call (RPC) nodes to inject malicious messages while simultaneously executing a DDoS attack to take down other RPC nodes that could have contradicted their claims. This led to the unauthorized release of 116,500 rsETH, valued at approximately $292 million, representing 18% of the token's total supply. The stolen tokens were then used as collateral for loans across various platforms, prompting several to freeze their rsETH markets. Following the hack, over $13 billion in total value locked (TVL) exited multiple platforms within two days. Kelp DAO had previously been warned about the risks associated with their centralized verification approach, which ultimately contributed to the breach. Key Points: • Kelp DAO lost $292 million due to a hack by North Korea's Lazarus Group. • The attack exploited a 1-of-1 verifier configuration, allowing a single point of failure. • Over $13 billion in TVL exited from various platforms following the hack.

Key Entities

• Lazarus Group (apt_group)
• DDoS (attack_type)
• TraderTraitor (malware)
• Aave (platform)
• LayerZero (platform)
• Fluid (company)
• Kelp DAO (company)
• SparkLend (company)
• North Korea (country)
• T1499 - Endpoint Denial of Service (mitre_attack)