The $292 Million KelpDAO Hack: How North Korea’s Lazarus Group Just Exposed DeFi’s Most Dangerous Blind Spot
alek gutmann10 min read·Just now--
On April 18, 2026, attackers drained $292 million from KelpDAO’s bridge in minutes — and every on-chain transaction looked completely normal. Here’s exactly what happened, why DeFi’s defences missed it, and what it means for your funds.
“KelpDAO recovery claim — connect your wallet to receive compensation”
They didn’t find a bug in a smart contract. They didn’t exploit a reentrancy vulnerability or manipulate a price oracle. They did something more sophisticated, and more dangerous: they poisoned the infrastructure that bridges trusted to verify reality.
In minutes, attackers drained approximately $292 million worth of rsETH from KelpDAO’s LayerZero bridge by forging a cross-chain message. The Ethereum contract released the funds. The validator’s signature was valid. The message format was valid. At the transaction level, every step of the exploit was indistinguishable from normal bridge activity.
Traditional security tools saw nothing wrong. Because nothing was wrong — on-chain.
The hack of KelpDAO is not just the largest DeFi exploit of 2026. It is a masterclass in what happens when the crypto industry builds increasingly complex cross-chain infrastructure on top of verification systems with a single point of failure. And it triggered a contagion event that spread to at least nine other protocols, wiped $13 billion from DeFi’s total value locked, and forced Aave — the largest lending protocol in crypto — to freeze markets.
Here is everything that happened, how, and what it means for anyone with money in DeFi.
What Is KelpDAO and Why Did This Happen?
To understand the hack, you need to understand what KelpDAO does.
KelpDAO is a decentralized finance project built around liquid restaking on the Ethereum network. It accepts user ETH deposits, restakes them, and returns a liquid token named rsETH that represents the restaked position. The rsETH token lets users keep earning restaking yield while the token remains usable across DeFi — including cross-chain, via LayerZero.
LayerZero is an interoperability protocol that allows tokens and data to move between blockchains. It works by having a network of “Decentralized Verifier Nodes” (DVNs) check whether cross-chain messages are legitimate before allowing funds to be released on the destination chain.
The configuration KelpDAO used for this bridge relied on a 1-of-1 DVN setup — meaning a single verifier was responsible for signing off on all cross-chain transactions. The industry best practice is for protocols to use a multi-DVN setup to prevent a unilateral point of trust or failure.
That single point of failure is what the Lazarus Group found and exploited.
How the Attack Worked: A Step-by-Step Breakdown
This was not a smart contract hack. There was no reentrancy bug, no missing access check, no price oracle manipulation. The KelpDAO incident is an attack on the off-chain verification layer on which many cross-chain protocols depend.
Here is precisely what the attackers did:
Step 1 — Identify the single verifier node The attackers mapped KelpDAO’s bridge infrastructure and identified that a single LayerZero DVN was responsible for verifying all cross-chain messages. This is the 1-of-1 setup that LayerZero later said it had recommended against.
Step 2 — Compromise the verifier’s data sources Attackers compromised two of LayerZero’s own servers that check whether cross-chain transactions are legitimate, then flooded the backup servers with junk traffic to force LayerZero’s verifier onto the compromised ones. This is a combination of a targeted server compromise and a DDoS attack — pushing the verifier to rely on data the attackers now controlled.
Step 3 — Forge a phantom burn message With the verifier now reading from compromised data sources, the attackers fed false data to the verification network, tricking the Ethereum contract into releasing funds based on a phantom token “burn” on the source chain. The verifier saw what appeared to be a legitimate burn of rsETH on the source chain, signed the message, and the Ethereum contract released the corresponding funds.
Step 4 — Drain the bridge The attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token rsETH. The bad actor moved quickly after taking hold of the funds and swapped them into ETH.
Step 5 — Use stolen rsETH as collateral By using the illicitly obtained funds, they borrowed substantial amounts of WETH, creating more than $236 million in debt. The attacker deposited stolen rsETH into Aave v3 as collateral to borrow real ETH — turning unbacked tokens into real assets before the market could react.
Step 6 — Attempt a second drain KelpDAO’s security systems detected the attack mid-execution. Those actions blocked a follow-up attempt in which the exploiter tried to drain an additional 40,000 rsETH (~$95 million) using a second forged phantom packet.
The entire operation — from first transaction to detection — was sophisticated enough that LayerZero stated preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.
The Contagion: How One Hack Spread to Nine Protocols
What makes the KelpDAO hack particularly significant is not just the initial theft. It’s what happened next.
Because rsETH is deeply integrated across DeFi lending markets, the sudden $292 million hole in the protocol’s backing created a contagion risk. The stolen rsETH had already been deposited as collateral into lending protocols before the hack was fully detected — leaving those protocols holding unbacked debt.
Aave V3 froze rsETH markets, SparkLend froze exposure, while Fluid, Compound, Euler, and others moved to contain risk. At least nine protocols were affected.
On Aave’s v3, the ETH, USDT, and USDC markets, which have a combined reserve size of $10.7 billion, each reached a 100% utilization rate, as total borrowed equals total supplied. When borrows are maxed, users cannot withdraw their supplied liquidity.
This is the nightmare scenario for DeFi: a single exploit cascading into a liquidity crisis that prevents users across completely separate protocols from withdrawing their own money.
DeFi saw its total value locked decrease by $13 billion over the weekend to $85.64 billion, its lowest point since April last year.
The Blame Game: KelpDAO vs. LayerZero
In the aftermath, a public dispute erupted between KelpDAO and LayerZero over who bears responsibility.
LayerZero’s position: The configuration of KelpDAO’s exploited application relied on a single decentralized verifier network (DVN), responsible for verifying the integrity of cross-chain messages. The industry best practice is for protocols to use a multi-DVN setup. A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective.
KelpDAO’s counter: KelpDAO is planning to say the DVN that was compromised was LayerZero’s own infrastructure, not a third-party verifier. The source contested LayerZero’s framing of the “1/1 configuration” as a fringe choice made against guidance. KelpDAO argues that LayerZero’s own documentation and deployment code promote single-source verification, undercutting the claim that the 1-of-1 setup was unusual.
The dispute matters beyond this single incident. The $292 million exploit tied to KelpDAO is the latest in a long line of crypto bridge hacks, underscoring how the systems designed to connect blockchains have become some of the easiest ways to break them. The problem is structural, not just bugs or mistakes.
The DeFi United Recovery Effort
The immediate response to the contagion was unprecedented in its speed and coordination.
Aave and several major crypto firms coordinated a recovery effort to stabilize DeFi markets after the $292 million exploit. The initiative, dubbed “DeFi United” and led by Aave service providers, is aimed at restoring the backing of rsETH.
The commitments came rapidly:
- Lido Finance’s Lido Labs Foundation proposed allocating up to 2,500 stETH, worth roughly $5.7 million, into a dedicated relief vehicle.
- EtherFi proposed a 5,000 ETH plan to protect users and prevent bad debt across DeFi.
- Aave founder Stani Kulechov offered a 5,000 ETH personal contribution, saying: “Aave is my life’s work and we’re working nonstop to find the best possible outcome for users.”
- Aave DAO itself proposed contributing 25,000 ETH from its treasury.
Meanwhile, on-chain containment was happening simultaneously. The Arbitrum Security Council, coordinating with law enforcement, froze over 30,000 ETH of the attacker’s downstream funds.
Lazarus Group: The World’s Most Prolific Crypto Thieves
The attribution to North Korea’s Lazarus Group places this hack in a disturbing pattern.
Investigators and governments have repeatedly accused North Korea of using crypto theft to fund its weapons programmes. In 2024, a United Nations panel estimated that the country had stolen more than $3 billion in cryptocurrency since 2017.
KelpDAO’s hack became the largest in the industry so far in 2026, surpassing the previous record-holder, Drift Protocol, whose exploit was for $280 million. According to a post-mortem report, the Drift attack was the result of a six-month-long, carefully planned operation that involved malicious agents attending conferences.
The Lazarus Group’s laundering operation after the KelpDAO hack was equally sophisticated. On-chain analyst EmberCN and investigator ZachXBT noted a massive surge in THORChain volume, which reached $394 million in a single 24-hour period, more than ten times its usual daily activity. Security firms PeckShield and Cyvers estimated that approximately $176 million worth of stolen assets began moving through THORChain, Umbra, and BitTorrent in a rapid attempt to break the audit trail.
What This Means for DeFi Users Right Now
If you have funds in DeFi protocols, here is the practical takeaway from the KelpDAO hack:
Check your rsETH exposure. If you hold rsETH directly or have it as collateral in any lending protocol, monitor your position closely. The “DeFi United” recovery effort is working to restore rsETH’s peg, but until it is fully resolved, rsETH carries elevated risk.
Understand bridge risk. Every asset you move across chains passes through bridge infrastructure. Most bridges have improved their DVN configurations since April 18, but the risk category itself has not been eliminated. Know which bridges you use and check their security configurations.
Watch for Aave market normalization. The 100% utilization rates on Aave’s major markets have been partially addressed by the DeFi United effort, but if you have funds supplied to Aave that you cannot withdraw, monitor the recovery effort at aave.com.
Diversify across protocols. The KelpDAO hack demonstrated that DeFi contagion can spread instantly across interconnected protocols. Concentrating all your DeFi activity in protocols that share underlying collateral assets creates correlated risk.
The Deeper Problem: Why Bridges Keep Getting Hacked
Crypto bridge hacks like the $292 million KelpDAO exploit keep happening because bridges rely on trusted intermediaries and external data sources rather than fully verifying blockchain activity, creating opportunities for attackers to manipulate. The problem is structural, not just bugs or mistakes.
The history is sobering. Ronin Bridge: $625 million. Poly Network: $600 million. Wormhole: $320 million. Nomad: $190 million. And now KelpDAO: $292 million. Bridges have collectively lost over $2 billion in hacks.
Spotting this type of exploit requires cross-chain invariant monitoring — continuously verifying that tokens released on a destination chain mathematically match tokens burned on the source chain. Most protocols don’t have this monitoring in place because it is expensive, complex, and requires watching multiple chains simultaneously.
The KelpDAO hack will force the industry to confront this gap directly. LayerZero has already announced it will stop signing messages for any application using a single-verifier setup, forcing a broad migration. Every major bridge protocol is now reviewing its DVN configurations.
That’s a significant structural improvement — but it took a $292 million loss to force it.
Frequently Asked Questions
Is my money safe on Aave right now?
Aave has frozen rsETH-related markets. If you don’t hold rsETH, your funds in other Aave markets are not directly affected. Monitor aave.com for updates on market normalization as the DeFi United recovery proceeds.
Was this KelpDAO’s fault or LayerZero’s?
Both parties are disputing responsibility. LayerZero says KelpDAO chose a dangerous 1-of-1 DVN configuration against guidance. KelpDAO says the compromised infrastructure was LayerZero’s own servers, not a third-party verifier KelpDAO chose. The investigation is ongoing.
Will the stolen funds be recovered?
Partially. The Arbitrum Security Council froze approximately $71–75 million of downstream funds. The remaining $200M+ that moved through THORChain and other decentralised laundering routes is significantly harder to recover. The DeFi United effort is focused on covering the hole through community contributions rather than recovering the stolen funds directly.
What is rsETH?
rsETH is KelpDAO’s liquid restaking token — a yield-bearing derivative of staked ETH that was designed to be usable across DeFi and multiple chains. The hack exploited the cross-chain bridge that moved rsETH between networks.
Was this preventable?
Yes. A multi-DVN configuration would have required the attacker to compromise multiple independent verifiers simultaneously — making the specific attack vector used here effectively impossible. The 1-of-1 setup was the structural failure that enabled the exploit.
Final Word
The KelpDAO hack is a watershed moment for DeFi security — not because it was technically unprecedented, but because it demonstrated that the most sophisticated attackers on earth are now specifically targeting the off-chain infrastructure that cross-chain protocols depend on.
Smart contracts can be audited. DVN configurations can be hardened. But the KelpDAO incident reveals a category of risk that most DeFi users and many protocol teams hadn’t fully priced in: the trusted infrastructure between chains is only as strong as its weakest verification link.
The DeFi United recovery effort, the Arbitrum Security Council’s fast intervention, and LayerZero’s forced migration to multi-DVN configurations are all positive responses. But as DeFi protocols become increasingly interconnected, a single weak link can ripple across the stack.
The $292 million lesson from April 18 is one the industry will not forget quickly.
Follow for real-time DeFi security coverage and market impact analysis. Share this with anyone who has funds in DeFi protocols — understanding what happened at KelpDAO is essential context for managing risk in 2026.
Tags: #KelpDAO #DeFiHack #LayerZero #rsETH #DeFiSecurity #Crypto2026 #LazarusGroup #Aave #DeFiUnited #Ethereum #CryptoHack #Web3Security #DeFi #Blockchain #CryptoNews
