KelpDAO Hack Linked to North Korea's Lazarus Group: $292 Million Exploit

Severity: High (Score: 75.0)

Sources: En.Bloomingbit, Beincrypto, Coinedition

Summary

On April 20, 2026, KelpDAO suffered a significant exploit resulting in the loss of $292 million in assets, attributed to North Korea's Lazarus Group. The attack targeted the RPC infrastructure of LayerZero, utilizing a sophisticated method that involved compromising two independent RPC nodes. The attackers replaced the binaries with malicious versions, allowing them to forge transaction data while simultaneously launching a DDoS attack on uncompromised nodes. This forced a failover to the compromised infrastructure, leading to the verification of non-existent transactions. KelpDAO's choice of a 1/1 decentralized verifier network (DVN) setup created a single point of failure, which was exploited in the attack. LayerZero has since confirmed that it will no longer support applications using this configuration. Law enforcement has been notified, and the affected RPCs have been replaced, restoring normal operations. The exploit specifically impacted rsETH, raising concerns about potential cascading effects across the DeFi sector. Key Points: • KelpDAO lost $292 million due to a sophisticated attack by North Korea's Lazarus Group. • The attack exploited a single point of failure in KelpDAO's 1/1 DVN configuration. • LayerZero has ceased support for applications using vulnerable DVN setups.

Key Entities

• Lazarus Group (apt_group)
• TraderTraitor (malware)
• DDoS (attack_type)
• Aave (platform)
• LayerZero (platform)
• Bybit (company)
• Drift Protocol (company)
• KelpDAO (company)
• LayerZero Labs (company)
• North Korea (country)
• T1070 - Indicator Removal (mitre_attack)
• T1499 - Endpoint Denial of Service (mitre_attack)