A massive $290 million cryptocurrency theft targeting Kelp DAO has been attributed to North Korea-linked hackers, specifically the Lazarus Group and its TraderTraitor subgroup, according to blockchain infrastructure firm LayerZero.
The attack took place on April 18, 2026, when threat actors drained approximately 116,500 rsETH tokens—worth nearly $292 million—by exploiting weaknesses in Kelp DAO’s cross-chain verification process.
Investigations indicate that the attackers targeted LayerZero’s Decentralized Verifier Network (DVN), compromising certain remote procedure call (RPC) nodes while simultaneously launching a distributed denial-of-service (DDoS) attack on others. This forced the system to rely on malicious infrastructure controlled by the attackers, allowing them to inject fraudulent transaction data that appeared legitimate.
LayerZero described the operation as a “highly sophisticated attack,” noting that the hackers used a custom payload to forge cross-chain messages and bypass verification checks. The breach was further enabled by Kelp DAO’s “1-of-1” verifier setup, which relied on a single point of validation, making it easier for attackers to manipulate the system.
Following the incident, Kelp DAO paused affected contracts and blacklisted attacker-linked wallets. A second attempted exploit involving an additional 40,000 rsETH was successfully blocked.
The fallout from the breach extended across the decentralized finance (DeFi) ecosystem, with major platforms experiencing liquidity stress and sharp withdrawals as users rushed to secure funds. The incident is now considered the largest DeFi hack of 2026, surpassing earlier attacks such as the $285 million Drift Protocol breach, which was also linked to North Korean actors.
Security experts highlight that the attack reflects an evolving strategy by North Korean cyber groups, which are increasingly targeting infrastructure layers and exploiting configuration weaknesses rather than traditional smart contract bugs.
The breach underscores growing concerns around DeFi security and the rising sophistication of state-backed cyberattacks, particularly as interconnected blockchain systems create opportunities for large-scale, cascading exploits.
