KelpDAO hit by $290 million hack, suspected North Korean group exploits cross-chain bridge

KelpDAO, a decentralized finance protocol specializing in liquid restaking on Ethereum, suffered a major cyberattack that resulted in the theft of approximately $290 million in digital assets, with early indicators pointing to involvement by North Korea-linked hackers.

The breach occurred through KelpDAO’s cross-chain bridge infrastructure powered by LayerZero, where attackers drained roughly 116,500 rsETH tokens by manipulating transaction verification mechanisms. The incident prompted the protocol to halt rsETH contracts across Ethereum mainnet and layer-2 networks after detecting suspicious cross-chain activity on April 18.

LayerZero Labs, a blockchain interoperability provider, identified the likely perpetrators as the Lazarus Group, a state-linked cybercrime organization associated with North Korea. The group, particularly a subgroup known as TraderTraitor, has previously been connected to multiple high-profile cryptocurrency thefts.

The attack targeted KelpDAO’s use of a decentralized verifier network, a system responsible for validating cross-chain messages. Hackers compromised two remote procedure call nodes used in the verification process and launched distributed denial-of-service attacks on remaining nodes. This forced the system to rely on corrupted data inputs, allowing fraudulent transactions to be approved and assets to be transferred without authorization.

Investigators indicated that the operation was engineered to evade detection, with malicious components designed to erase logs and disable compromised infrastructure after execution. The stolen funds were subsequently routed through anonymization services to obscure their trail.

KelpDAO, which enables users to deposit Ethereum and receive a liquid token representing restaked assets, faced additional pressure as the breach triggered disruptions across the broader DeFi ecosystem. Lending platforms including Aave, Compound, and Euler were affected, with Aave freezing rsETH as collateral and restricting related borrowing and deposits.

LayerZero stated that its core protocol was not inherently compromised and attributed the breach to KelpDAO’s configuration choices, including reliance on a single-verifier setup rather than a more resilient multi-verifier architecture. The company confirmed that affected infrastructure has been replaced and urged projects to adopt redundant verification systems to reduce risk.

Market reaction to the incident was swift, with Aave’s token declining sharply and its total value locked experiencing a significant drop. Despite concerns about potential systemic risk, developers indicated that the impact was contained to rsETH-related assets, with no broader contagion across other cross-chain applications confirmed at this stage.