Something started to move on the Ethereum blockchain at 17:35 UTC on Saturday, April 18. At first, it appeared to be a typical cross-chain transaction. The mails have the proper format. They were validated by the verifier. The money was released by the bridge. 116,500 rsETH, or around $292 million, had disappeared by the time KelpDAO’s developers realized what was going on and halted the core contracts. The smart contract code did not contain a problem that the attacker had discovered. They had discovered something far more exploitable: a configuration decision made by a single KelpDAO employee despite repeated advice, which reduced an entire cross-chain security architecture to a single throat to cut.
Since then, the attack has been linked with what LayerZero refers to as “preliminary confidence” to the TraderTraitor subunit of North Korea’s Lazarus Group, which is in charge of a rising list of sophisticated cryptocurrency thefts against decentralized financial systems. The operation started about ten hours prior to the drain, when the attackers pre-funded six wallets using Tornado Cash, according to the post-mortem released by LayerZero on April 20.
Then, they compromised two of the RPC nodes that KelpDAO’s lone verifier used to verify cross-chain transactions. They replaced the legitimate node software with malicious versions that continued to feed accurate data to all other network observers while reporting fake transaction data to the verifier. The verifier started approving transactions that had never really happened on the source chain after a concurrent DDoS attack forced a failover to the poisoned endpoints. Because KelpDAO had only one verifier, there was nobody to disagree.
| Category | Detail |
|---|---|
| Victim Protocol | KelpDAO — Ethereum liquid restaking protocol; attacker drained 116,500 rsETH (approx. $292 million) from its LayerZero-powered cross-chain bridge at 17:35 UTC on April 18 |
| Attributed Actor | North Korea’s Lazarus Group (TraderTraitor subunit) — attributed with “preliminary confidence” by LayerZero’s April 20 post-mortem; pre-funded six wallets via Tornado Cash ~10 hours before the drain |
| Root Cause | KelpDAO ran a 1-of-1 single verifier (DVN) configuration — despite LayerZero’s repeated recommendation of multi-verifier redundancy; attackers compromised two RPC nodes and used DDoS to force failover to a poisoned endpoint |
| Market Contagion | $13.21 billion wiped from DeFi total value locked (TVL) within 48 hours; Aave lost $8.45 billion in deposits; nine major lending protocols froze affected markets |
| Emergency Response | Arbitrum Security Council froze 30,766 ETH linked to the exploiter using emergency governance powers after coordinating with law enforcement |
| Part of Broader Campaign | Lazarus Group also linked to the Drift Protocol exploit ($285 million, April 1, 2026) — total North Korea-linked DeFi losses in April 2026 exceed $575 million |
| Stolen Tokens Impact | rsETH now stranded on more than 20 layer-2 networks; token backing in doubt; rsETH peg and redemption ability under severe market pressure |
| Further Reference | Full technical post-mortem at CoinDesk and LayerZero |
In its public remarks, LayerZero has identified the underlying problem. According to the business, it has “repeatedly urged” KelpDAO to implement a multi-verifier configuration, which would necessitate the simultaneous compromise of multiple independent verifier networks rather than just one. In any case, KelpDAO employed a 1-of-1 design.
LayerZero has officially declared that it will no longer sign communications for projects that use a single-verifier configuration. In an industry where infrastructure providers and application developers typically steer clear of public finger-pointing following breaches, that position’s directness is uncommon. It implies that LayerZero believed their warnings were precise, recorded, and blatantly disregarded.
In reality, the spread of a $292 million theft extends beyond the compromised protocol. Due to the widespread use of rsETH, the liquid restaking token that KelpDAO released, as collateral across DeFi loan protocols, the protocols that held it as collateral risked potential deficits as soon as its backing became uncertain. In theory, the scenario is comparable to a bank taking deposits of money that turn out to be fake: the deposits appear authentic until someone examines them carefully, at which point loans have been made against them.
In under 48 hours, Aave lost $8.45 billion in deposits. Affected markets were frozen by nine key protocols. In just two days, the total value locked across DeFi fell by $13.21 billion—not because $13 billion was pilfered, but rather because sensible depositors chose not to wait to see what else might be backed by something that wasn’t.
This is made worse by the timing. The $285 million attack against Drift Protocol on April 1st, which was also linked to North Korean state actors, was followed by the KelpDAO exploit. This indicates that Lazarus Group has allegedly taken more than $575 million out of DeFi in a single month, a rate that is not coincidental. Reading the technical details of both attacks gives me the impression that this is not an opportunistic crime.
It is a state-sponsored organization with a budget to fulfill that methodically targets the weakest parts in a financial system that has occasionally been constructed with more focus on theoretical architecture than on the actual security of the infrastructure layer beneath it.
Using emergency governance powers, the Arbitrum Security Council has frozen tens of millions of dollars’ worth of related assets. That is a significant and truly amazing response in an area that frequently finds it difficult to organize quick action.
It is still completely unclear whether the frozen money can be retrieved and what will happen to rsETH holders who are stuck in more than twenty networks. People continue to follow the chain. The wallets are still being monitored. Whoever the attackers are in the end, they seem to have already moved on.
