Back

KelpDAO Bridge Hack: $292M Stolen by Lazarus Group Exploit

Severity: High (Score: 77.9)

Sources: Decrypt.Co, Theblock.Co, News.Bitcoin, Whalesbook, En.Bloomingbit

Summary

On April 18, 2026, the KelpDAO cross-chain bridge suffered a major exploit, resulting in the theft of approximately $292 million worth of rsETH tokens. LayerZero Labs attributed the attack to North Korea's Lazarus Group, specifically its TraderTraitor subunit. The attackers compromised two remote procedure call (RPC) nodes, using them to send forged transaction confirmations while simultaneously launching a DDoS attack on clean nodes to force reliance on the compromised ones. This single-point-of-failure setup allowed the attackers to drain 116,500 rsETH before a rapid response cut off further access. The incident triggered over $10 billion in withdrawals from the Aave lending protocol, which saw its total value locked drop significantly. LayerZero has since announced it will no longer support applications using a single verifier configuration and is collaborating with law enforcement to track the stolen funds. The exploit has raised serious concerns about the security of decentralized finance (DeFi) infrastructure and the risks associated with centralized verification models. Key Points: • KelpDAO lost $292 million due to a sophisticated attack by North Korea's Lazarus Group. • The exploit was facilitated by a single verifier setup, which created a critical vulnerability. • LayerZero will no longer support applications using a 1/1 decentralized verifier network configuration.

Key Entities

  • Apt38 (apt_group)
  • Lazarus Group (apt_group)
  • TraderTraitor (malware)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Aave (platform)
  • LayerZero (platform)
  • Bitcoin (platform)
  • Curve Finance (platform)
  • Dnssec (platform)
  • Bybit (company)
  • Drift Protocol (company)
  • EasyDNS (company)
  • Ethereum Name Service (company)
  • Kelp DAO (company)
  • Drift (campaign)
  • Iran (country)
  • North Korea (country)
  • ether.fi (domain)
  • Financial (industry)
  • T1021 - Remote Services (mitre_attack)
  • T1070 - Indicator Removal (mitre_attack)
  • T1499 - Endpoint Denial of Service (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Tornado Cash (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed