A DeFi hack attributed to North Korea’s Lazarus Group has stolen approximately $290 million in cryptocurrency from Kelp DAO, marking the largest decentralized finance exploit of 2026. The attack, which occurred on Saturday, April 18, 2026, targeted Kelp DAO’s cross-chain bridge and exposed a critical architectural vulnerability that even the most sophisticated DeFi protocols can overlook.
Key Takeaways
- Lazarus Group stole 116,500 rsETH tokens valued at $290M from Kelp DAO on April 18, 2026
- Attackers compromised RPC nodes and used DDoS to force failover to poisoned infrastructure
- Kelp DAO’s single-verifier configuration created a critical single point of failure
- Approximately $71M in stolen funds frozen by Arbitrum’s Security Council
- LayerZero previously recommended DVN diversification, which Kelp DAO rejected
How the DeFi hack unfolded
The DeFi hack exploited a sophisticated chain of infrastructure weaknesses rather than smart-contract bugs. Attackers gained access to LayerZero Labs’ Decentralized Verifier Network (DVN) and compromised two independent remote procedure call (RPC) nodes by swapping out their binaries—specifically op-geth nodes running on separate clusters. These nodes form the backbone of LayerZero’s cross-chain message validation system.
Once the nodes were compromised, the attackers launched a distributed denial-of-service (DDoS) flood against legitimate RPC nodes, forcing the network to failover to the poisoned infrastructure. The poisoned nodes then executed RPC-spoofing, generating forged blockchain data that appeared valid to Kelp DAO’s bridge contract. This fraudulent cross-chain message was accepted as legitimate because Kelp DAO operated a 1-of-1 verifier setup—meaning no independent validator existed to reject the false transaction.
Within 46 minutes of the initial drain, Kelp DAO’s emergency multisig paused the core contracts, preventing two follow-up theft attempts worth approximately $100 million. The stolen 116,500 rsETH tokens were then funneled through Tornado Cash to obscure the transaction trail. Arbitrum’s Security Council subsequently froze roughly $71 million in stolen funds—approximately 30,766 ETH—though the majority remains at large.
Single point of failure in DeFi infrastructure
LayerZero explicitly blamed Kelp DAO’s architectural decision to use a single DVN for validation. According to LayerZero, a properly hardened configuration would have required consensus across multiple independent verifiers, making it mathematically impossible for a single compromised node to authorize fraudulent transactions. This is not a new recommendation—LayerZero and other external parties had previously communicated best practices around DVN diversification to Kelp DAO.
Kelp DAO reportedly disputed this assessment, blaming LayerZero’s infrastructure security for the breach. The blame-shifting reflects a broader tension in DeFi: protocols must balance security, cost, and decentralization. Using multiple DVNs increases resilience but adds operational complexity and expense. Kelp DAO chose speed and simplicity over redundancy, a decision that proved catastrophic.
The DeFi hack had immediate ripple effects across lending protocols. Aave froze rsETH collateral and blocked new deposits and borrowing, while Compound and Euler also suspended rsETH support. The incident remained isolated to rsETH itself—no broader contagion spread to other assets or applications—but it exposed a vulnerability in how cross-chain bridges handle verifier configuration.
Attribution to Lazarus and TraderTraitor
LayerZero attributed the DeFi hack to a highly sophisticated state actor, specifically North Korea’s Lazarus Group and its TraderTraitor subunit, based on preliminary indicators. The technical sophistication—binary swapping, coordinated DDoS, RPC-spoofing—aligns with state-sponsored cyber operations rather than independent criminal groups. However, it is worth noting that the attribution remains preliminary and has not been confirmed by independent forensic analysis.
Lazarus Group has a documented history of cryptocurrency theft. The group has targeted exchanges, custodians, and DeFi protocols to fund North Korea’s weapons programs and circumvent international sanctions. This DeFi hack represents a significant escalation in both scale and technical sophistication, demonstrating that state actors are actively targeting decentralized finance infrastructure rather than relying solely on exchange hacks.
What this DeFi hack means for crypto security
The Kelp DAO breach reveals that DeFi security cannot rely solely on smart-contract audits and formal verification. Infrastructure security—RPC node hardening, network monitoring, DDoS mitigation—is equally critical. A protocol can have perfect code and still lose hundreds of millions if its operational infrastructure is compromised.
The incident also highlights the false economy of skipping redundancy. Kelp DAO saved operational costs by using a single DVN instead of diversifying across multiple independent verifiers. That savings evaporated instantly when the single verifier failed. For any DeFi protocol handling significant value, architectural redundancy is not a luxury—it is a fundamental security requirement.
Is Lazarus attribution confirmed?
No. LayerZero has attributed the DeFi hack to Lazarus Group based on preliminary indicators, but independent forensic confirmation has not been published. Attribution of cryptocurrency theft is complex and often relies on transaction patterns, operational tradecraft, and intelligence from blockchain analysis firms. The preliminary assessment is credible given the technical sophistication, but definitive proof would require additional investigation.
How much money was actually stolen in the DeFi hack?
Attackers stole 116,500 rsETH tokens valued at approximately $290 million to $293 million. Of this amount, Arbitrum’s Security Council froze roughly $71 million in stolen funds, leaving approximately $219 million unrecovered. The stolen assets were funneled through Tornado Cash, making recovery significantly more difficult.
Will Kelp DAO users be compensated?
Kelp DAO has not yet announced a compensation plan or recovery strategy. The protocol paused core contracts to prevent further damage, but users who lost funds through the bridge remain uncompensated. Typically, DeFi protocols either absorb losses, conduct a token airdrop to affected users, or attempt to recover stolen funds through blockchain analysis and law enforcement cooperation. Kelp DAO’s next steps remain unclear.
The Kelp DAO DeFi hack stands as a sobering reminder that decentralized finance remains a high-value target for sophisticated attackers, including state actors. Security requires not just perfect code but hardened infrastructure, redundant verification, and architectural decisions that prioritize resilience over convenience. For DeFi to mature as a financial system, protocols must treat infrastructure security with the same rigor they apply to smart-contract audits.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
