LayerZero says North Korean Lazarus Group behind $292M Kelp DAO attack
LayerZero warns of vulnerabilities in single-DVN configurations after the landmark KelpDAO attack.
Share
Add us on Google by Vivian Nguyen Apr. 20, 2026LayerZero’s new report states that North Korea-linked cybercrime group Lazarus Group carried out the attack targeting restaking protocol KelpDAO on Saturday that led to $292 million in losses.
The incident was limited to KelpDAO’s rsETH token and had no impact on any other assets or applications using the LayerZero protocol, according to the report.
As previously flagged by on-chain investigators, the attacker exploited LayerZero’s cross-chain messaging system, which is responsible for validating cross-network transactions, by spoofing a legitimate transfer request.
This resulted in the unauthorized movement of 116,500 rsETH, valued at about $292 million. The stolen amount represents roughly 18% of rsETH’s total supply of around 630,000 tokens.
In today’s report, LayerZero detailed that the attack targeted the RPC infrastructure underpinning LayerZero Labs’ Decentralized Verifier Network (DVN), the system responsible for confirming the legitimacy of cross-chain transactions.
Attackers identified the RPC nodes used by the DVN, compromised two of them by swapping out their software binaries, and launched distributed denial-of-service (DDoS) attacks against the remaining clean nodes to force a failover to the poisoned ones.
The malicious nodes were configured to show falsified data only to the DVN while appearing normal to all other observers, deliberately evading security monitoring. Once the attack concluded, the malicious infrastructure self-destructed, deleting binaries, logs, and configuration files.
The configuration question
The incident was made possible by KelpDAO’s decision to run a single-DVN configuration, as indicated by LayerZero.
LayerZero stressed that they had previously and explicitly advised KelpDAO to adopt a multi-DVN setup, warnings that went unheeded.
“LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration,” the team highlighted.
Following the attack, LayerZero has restored its DVN infrastructure, begun contacting all single-DVN applications requiring migration, and confirmed it will refuse to sign messages from any application maintaining a 1/1 verifier setup.
KelpDAO has paused rsETH contracts across mainnet and multiple layer 2 networks and says it is working with auditors and security specialists on root cause analysis.
LayerZero Labs has contacted law enforcement globally and is collaborating with Seal911 and other industry partners to trace the stolen funds. This is now the largest DeFi hack of 2026, barely edging out the $285 million Drift Protocol exploit that occurred earlier this month.
Secondary disruption
Aave has seen secondary disruption following the large-scale exploit targeting KelpDAO.
Total value locked on Aave has dropped to $17.5 billion, down $8.8 billion over two days, according to data from DeFiLlama.
The wider DeFi sector is also seeing outflows, with total value locked across all chains declining from over $99 billion to around $86 billion.
Disclosure: This article was edited by Vivian Nguyen. For more information on how we create and review content, see our Editorial Policy.
