North Korea’s Lazarus Group likely stole $292 million from Kelp DAO’s rsETH bridge by exploiting a single-verifier configuration that LayerZero says it had warned against.
Posted April 20, 2026 at 6:29 am EST.
Kelp DAO, a liquid restaking protocol that routes user ETH through EigenLayer to generate additional yield, lost 116,500 rsETH worth approximately $292 million to an attacker on April 18 in the largest DeFi exploit of 2026. LayerZero, whose cross-chain messaging infrastructure underpinned Kelp’s bridge, published a post-mortem on April 20 attributing the attack with “preliminary confidence” to North Korea’s Lazarus Group, specifically its TraderTraitor subunit.
Attackers pre-funded six wallets through Tornado Cash roughly 10 hours before the drain. They then compromised two of the RPC nodes that LayerZero’s verifier relied on to confirm cross-chain transactions, replacing the nodes’ software with malicious versions that reported false transaction data to the verifier while continuing to feed accurate data to every other observer — keeping the attack invisible to LayerZero’s own monitoring systems. A simultaneous DDoS attack forced a failover that brought the compromised nodes into the verification path. With the verifier deceived, Kelp’s bridge released 116,500 rsETH to an attacker-controlled address at 17:35 UTC.
This story is an excerpt from the Unchained Daily newsletter.
Subscribe here to get these updates in your email for free
The attack succeeded because Kelp operated a 1-of-1 verifier configuration — meaning LayerZero Labs was the only entity verifying messages to and from the rsETH bridge, LayerZero Labs said. LayerZero said its integration documentation and direct communications to Kelp had recommended a multi-verifier setup, under which compromising a single node would not have been enough to forge a valid message.
Kelp’s emergency multisig paused core contracts 46 minutes after the drain. Two follow-up attempts at 18:26 and 18:28 UTC, each carrying the same LayerZero packet and targeting another 40,000 rsETH worth roughly $100 million, were blocked. The attacker consolidated approximately 74,000 ETH post-exploit. LayerZero said it is working with multiple law enforcement agencies, is actively tracking the stolen funds, and will no longer sign messages for any project running a single-verifier configuration.
The Kelp attack brings total DeFi losses linked to North Korean state actors this month to over $575 million. It follows the Drift Protocol exploit on April 1, which was also linked to North Korean state actors. Drift lost approximately $285 million in an attack involving social engineering of governance signers.
DeFi,defi exploit,Kelp DAO,LayerZero,Lazarus Group,yahoodefi exploit,Kelp DAO,LayerZero,Lazarus Group,yahoo#LayerZero #Links #Million #Kelp #DAO #Bridge #Exploit #North #Koreas #Lazarus #Group1776681595
