Hassan Maishera
TL;DR
-
LayerZero said North Korean hacker group Lazarus is likely responsible for the $292 million Kelp DAO exploit.
-
The total value locked across the DeFi sector fell 7% in the past 24 hours to $86 billion.
LayerZero Ties Kelp DAO’s $292M Exploit to Suspected North Korean Hackers
LayerZero has revealed preliminary findings from its investigation into the Kelp DAO exploit, pointing to suspected North Korean cyber actors as the likely perpetrators.
The April 18 attack drained 116,500 rsETH tokens—worth roughly $292 million—from Kelp DAO’s LayerZero-powered cross-chain bridge, marking the largest DeFi exploit of the year so far.
In its statement, LayerZero said early indicators suggest involvement from a “highly sophisticated state actor,” likely tied to the DPRK’s Lazarus Group, specifically its TraderTraitor unit.
The attack reportedly began with the compromise of RPC nodes used by LayerZero Labs’ decentralized verifier network (DVN), which validates cross-chain transactions. According to LayerZero, the attacker poisoned two nodes to send a forged message while simultaneously launching a DDoS attack on legitimate nodes, forcing the network to rely on the compromised ones.
A Critical Vulnerability Amplified the Impact
Kelp DAO was operating a 1-of-1 DVN configuration, meaning there was no redundancy or secondary verification layer. This allowed the malicious message to pass unchecked and trigger the release of funds. LayerZero emphasized that it had previously advised Kelp DAO to diversify its verifier setup, but those recommendations were not implemented.
Despite the scale of the breach, LayerZero said there is “zero contagion” to other applications and confirmed that systems using multi-DVN configurations remain secure. It also announced a policy shift, stating it will no longer support projects operating under single-verifier setups.
The company is now working with law enforcement agencies to trace and recover the stolen assets.
The recent hack has sent shockwaves across the DeFi ecosystem, with immediate consequences for Aave. AAVE is down 1% in the last 24 hours and is now trading at $91 per coin.
The attacker reportedly moved the stolen rsETH into Aave V3, using it as collateral to borrow large amounts of WETH—potentially creating bad debt within the protocol. In response, Aave froze rsETH markets on both V3 and V4.
Aave founder Stani Kulechov confirmed that rsETH has been disabled as collateral and that the protocol has no further exposure to the asset. However, user confidence took a hit. Data from Aavescan shows over $10 billion has been withdrawn from Aave since the incident, reducing total supplied funds from $45.8 billion to $35.7 billion.
Marc Zeller of the Aave Chan Initiative urged users to act quickly, posting: “withdraw now, ask questions later.”
Across the broader DeFi landscape, several major protocols—including Ethena, ether.fi, Tron DAO, and Curve Finance—have paused their LayerZero omnichain token bridges as a precautionary measure.
According to DefiLlama, total value locked in DeFi has dropped 7% in the past 24 hours, falling to around $86.3 billion from $99.5 billion on April 18.
Aave's hack comes a few weeks after Drift Protocol suffered a $280 million hack, blaming it also on North Koreans. Drift Protocol has already formed a strategic alliance with Tether to assist in recovering funds stolen during an April 1 exploit.
