Kelp DAO Exploit Linked to North Korean Lazarus Group Results in $292 Million Loss

The Kelp DAO incident underscores vulnerabilities in DeFi infrastructure, potentially shaking investor confidence and prompting regulatory scrutiny.

• On April 18, 2026, Kelp DAO experienced a $292 million exploit via its LayerZero-powered rsETH bridge, attributed to North Korea's Lazarus Group.
• Attackers compromised two decentralized verifier network (DVN) RPC nodes and executed DDoS attacks, allowing them to mint 116,500 unbacked rsETH.
• In response, Kelp DAO paused operations, while Aave froze rsETH markets, leading to over $10 billion in outflows and a 7% decline in DeFi total value locked (TVL).

• Kelp DAO is a liquid restaking protocol that issues rsETH tokens and integrated LayerZero's cross-chain messaging despite prior warnings about single DVN risks.
• LayerZero's DVN verifies cross-chain messages through RPC nodes, which were exploited in this incident, highlighting the risks of relying on a single verifier.
• The Lazarus Group, a North Korean state actor, has been linked to significant crypto thefts, raising alarms about the security of DeFi platforms amidst increasing vulnerabilities.

On April 18, 2026, at 17:35 UTC, the Kelp DAO exploit unfolded as attackers, funded through Tornado Cash, targeted two LayerZero DVN RPC nodes. They injected malicious binaries into these nodes and executed DDoS attacks on others between 10:20 and 11:40 a.m. PT, forcing a failover in the system. This manipulation allowed the attackers to forge a message that triggered Kelp DAO's bridge to release 116,500 rsETH, valued at $292 million.

Kelp DAO activated an emergency pause at 18:21 UTC, but the damage was already done. LayerZero, the technology provider, confirmed that the exploit was not due to flaws in its protocol but rather a consequence of Kelp's configuration choices. This incident has raised questions about the security of cross-chain bridges, particularly those relying on a single DVN setup, which had been flagged as risky 15 months prior.

The aftermath saw Aave, a major DeFi platform, freezing rsETH markets, leading to over $10 billion in outflows and a 7% decline in the overall DeFi TVL, which fell to $86.3 billion. Other protocols, including Ethena, ether.fi, Tron DAO, and Curve Finance, paused their LayerZero bridges in response to the exploit. Aave's founder, Stani Kulechov, confirmed that the rsETH freeze was not due to a compromise of the contract itself, but rather a direct result of the exploit.

LayerZero has since mandated the use of multi-DVN setups to enhance security and ceased signing 1-of-1 messages to prevent similar incidents in the future. The incident has not only highlighted the vulnerabilities in DeFi but also the potential for state-sponsored attacks on cryptocurrency infrastructure. Law enforcement agencies are currently tracing the stolen funds, but there has been no indication of contagion to multi-DVN applications.

• DeFi investors: Those holding assets in affected protocols may face immediate financial losses and reduced confidence in the security of their investments.
• Developers and protocol teams: Increased scrutiny and pressure to enhance security measures in cross-chain technologies.
• Regulators: Potential for heightened regulatory oversight of DeFi platforms, especially those with vulnerabilities to state-sponsored attacks.

• Regulatory responses: Watch for potential regulations targeting DeFi protocols, especially those that have experienced significant exploits.
• Security upgrades: Monitor how quickly and effectively protocols implement multi-DVN setups and other security measures in response to this incident.
• Market reactions: Observe how investor sentiment shifts in the wake of this exploit, particularly regarding liquidity and trust in cross-chain technologies.