North Korea stole $292 million from a decentralised finance protocol over the weekend. That part, at least, everyone agrees on. Everything else is a blame game.
Kelp DAO, a liquid restaking protocol that routes user Ethereum through EigenLayer to generate additional yield, lost 116,500 rsETH tokens worth approximately $292 million on 18 April, making it the largest DeFi exploit of 2026.
The attack was technically elegant, audacious in scale, and is now being picked apart in a very public dispute about who bears responsibility.
LayerZero, whose cross-chain messaging infrastructure powered Kelp's bridge, published a post-mortem attributing the attack with preliminary confidence to North Korea's Lazarus Group, specifically its TraderTraitor subunit.
The mechanics were surgical. Attackers compromised two RPC nodes used by LayerZero's decentralised verifier network, replacing their software binaries with malicious versions, then launched a distributed denial-of-service attack against the remaining clean nodes to force a failover to the poisoned ones.
Once that failover triggered, the compromised nodes told the system a valid cross-chain transfer had arrived and the bridge released the funds. The malicious node software then self-destructed, wiping binaries and local logs.
The attack only worked because of one critical architectural weakness. Kelp ran a 1-of-1 verifier configuration, meaning LayerZero Labs was the sole entity verifying messages to and from the rsETH bridge.
LayerZero said its integration documentation and direct communications to Kelp had recommended a multi-verifier setup, under which compromising a single node would not have been enough to forge a valid message.
Kelp disputes that framing entirely. The protocol plans to argue that the compromised decentralised verifier network was LayerZero's own infrastructure, not a third-party verifier, and that the single-verifier configuration was consistent with LayerZero's own defaults and public documentation rather than an outlier choice made against explicit advice.
The collateral damage has been severe. The attacker deposited the stolen rsETH onto lending protocol Aave as collateral and borrowed wrapped ether against it, leaving roughly $196 million in bad debt.
Aave's total value locked dropped by approximately $6.6 billion following the attack. Because the bridge held reserves backing rsETH on more than 20 networks, including Base, Arbitrum, and Scroll, the loss raised immediate doubts about the backing of rsETH on layer-2 chains.
The exploit follows the $285 million drain of Solana-based protocol Drift earlier this month, also attributed to North Korean operatives, meaning the same state-backed unit has extracted more than $575 million from DeFi in 18 days through two structurally different attack vectors.
Related reading
- OpenAI warns macOS users to update apps after supply chain security breach
- Drift breached after six-month North Korean infiltration
- Kraken expands VIP security and referral benefits
North Korea's cyber operations are run under the Reconnaissance General Bureau, which houses several distinct units. Last year alone, its hackers stole more than $2 billion in cryptocurrency.
LayerZero has contacted global law enforcement and said it will no longer sign messages for any application running a single-verifier configuration. Whether that closes the door or just moves it slightly is a question the next attack will answer.
The recap
- Lazarus Group accused of exploiting Kelp DAO smart contract
- Attack resulted in $292 million of cryptocurrency stolen
- LayerZero published the attribution in an online announcement
