North Korean Hackers Steal $290 M from Crypto Platform Kelp via LayerZero Supply‑Chain Exploit
What Happened — Over a weekend, approximately $290 million in cryptocurrency was transferred out of the Kelp platform. Investigation traced the theft to a supply‑chain compromise of LayerZero’s Decentralized Verifier Network (DVN), which was the sole verifier for Kelp’s rsETH token. North Korean‑linked group TraderTraitor forged rsETH tokens and used them as collateral to borrow real assets, completing the heist.
Why It Matters for TPRM —
- A single‑point‑of‑failure third‑party verifier enabled a multi‑billion‑dollar loss, highlighting the risk of over‑reliance on one infrastructure provider.
- The attack leveraged sophisticated “message‑poisoning” and DDoS tactics that evaded traditional monitoring, underscoring gaps in vendor security controls.
- Supply‑chain attacks on crypto infrastructure can cascade across multiple downstream services, amplifying third‑party exposure.
Who Is Affected — Crypto‑exchange and DeFi platforms that integrate LayerZero’s DVN services; broader blockchain‑as‑a‑service (BaaS) providers and their downstream users.
Recommended Actions —
- Audit all integrations with LayerZero or similar DVN services; enforce multi‑DVN redundancy.
- Validate that vendors employ robust monitoring, anomaly detection, and DDoS mitigation for critical verification paths.
- Update contractual security clauses to require diversified third‑party dependencies and regular security assessments.
Technical Notes — The attackers exploited a misconfiguration where Kelp relied on a single DVN, allowing forged rsETH messages to pass unchecked. No specific CVE was cited; the vector was a supply‑chain compromise of LayerZero’s verification infrastructure combined with DDoS on backup systems. Source: The Record