KelpDAO Loses $290 Million in Cross‑Chain Exploit Attributed to North Korean Lazarus Group
What Happened – On April 18 2026 the DeFi liquid‑restaking platform KelpDAO detected malicious cross‑chain activity and paused its rsETH contracts. Attackers compromised RPC nodes used by LayerZero’s verification layer (DVN), fed falsified data and DDoS‑ed healthy nodes, allowing a forged cross‑chain message that transferred ~116,500 rsETH (≈ $293 M) through Tornado Cash. Preliminary forensic indicators point to the state‑sponsored Lazarus Group (TraderTraitor).
Why It Matters for TPRM –
- A single supply‑chain dependency (LayerZero) was weaponized to steal crypto assets, showing how third‑party infrastructure can become a vector for massive loss.
- The incident rippled to major lending protocols (Compound, Euler, Aave) that froze rsETH collateral, highlighting downstream risk to counterparties.
- Attribution to a nation‑state actor underscores the need for continuous monitoring of geopolitical threat actors that target financial services.
Who Is Affected – Decentralized finance platforms, crypto lending services, cross‑chain interoperability providers, and any organization that integrates LayerZero or similar messaging hubs.
Recommended Actions –
- Review contracts and dependencies that rely on external verification layers (e.g., LayerZero DVN).
- Conduct a security audit of RPC node configurations and implement multi‑node consensus checks.
- Enforce strict monitoring of large cross‑chain token movements and integrate blockchain analytics (e.g., Tornado Cash detection).
- Update incident‑response playbooks to include state‑actor attribution scenarios and rapid asset‑freeze procedures.
Technical Notes – The attack leveraged a compromised RPC node + DDoS to poison the verification layer, effectively a vulnerability exploit of the cross‑chain messaging protocol. No public CVE was disclosed. Stolen assets were liquid‑restaked ETH tokens (rsETH) moved through Tornado Cash for anonymization. Source: BleepingComputer