North Korean Hackers Drain $290M From KelpDAO Bridge

A single compromised verification checkpoint drained nearly $290 million from a decentralized finance protocol over a weekend. The KelpDAO breach stands as the most damaging crypto hack attributed to a state actor so far this year, and it exposed a design flaw that security teams had flagged and the project chose to ignore.

What Happened to KelpDAO

KelpDAO is a liquid restaking protocol built on Ethereum. Users deposit ETH, which the platform restakes on their behalf and returns as a liquid token called rsETH. That token can then be used across DeFi platforms and transferred across blockchains via a cross-chain bridge powered by LayerZero.

On April 18, attackers drained 116,500 rsETH from that bridge. At prevailing prices, the stolen position was worth approximately $292 million. KelpDAO detected the suspicious activity and paused rsETH contracts across the Ethereum main net and its Layer 2 networks shortly after the theft was confirmed.

The attacker did not stop at the initial drain. Using the stolen rsETH as collateral, they borrowed more than 82,600 ETH from Aave, worth around $195 million at the time. Aave moved to freeze rsETH markets on both V3and V4 to prevent further borrowing and deposits. The protocol's total value locked fell by $6.28 billion in under 48 hours, dropping from approximately $26.4 billion to $20.1 billion.

How the KelpDAO Crypto Hack Was Executed

The attackers did not break the bridge. They deceived thesystem responsible for verifying it.

LayerZero's cross-chain bridge relies on a DecentralizedVerifier Network to confirm that transactions are legitimate before they areprocessed. The attackers compromised two RPC nodes that the DVN used to checkoutgoing transactions on Unichain. They fed those nodes falsified approvalsignals while keeping data feeds to other observers clean, effectively makingthe exploit invisible to anyone not looking at the compromised nodes directly.

KelpDAO's bridge configuration used a single DVN. Oneverifier, one checkpoint, one point of failure. When that checkpoint receivedfalse data, there was nothing else in the chain to catch it. LayerZero statedit had repeatedly urged KelpDAO to adopt a multi-verifier setup. Therecommendation was not followed.

The malware deployed to compromise the RPC nodes was builtto erase itself once the operation was complete, wiping binaries and logs toobstruct forensic recovery.

Lazarus Group Attribution

LayerZero's post-incident analysis attributed the attack toNorth Korea's Lazarus Group, specifically its TraderTraitor subunit, describingthe actors as "a highly sophisticated state actor." Blockchainsecurity firm Cyvers noted that the sophistication, scale, and coordination ofthe exploit matched patterns associated with DPRK-linked operations, though itstopped short of full confirmation, citing the absence of confirmed walletclustering tied to the group.

TraderTraitor operates under North Korea's ReconnaissanceGeneral Bureau, which also houses units including APT38, AppleJeus, andDangerousPassword. The subunit has a documented history of targeting cryptoinfrastructure through spear-phishing, malicious GitHub repositories, and fakerecruiter outreach to gain initial access to developer environments.

The Arbitrum Security Council froze roughly 30,766 ETH,worth approximately $71 million, linked to the exploiter on Arbitrum One.Blockchain intelligence firm Arkham reported that Lazarus moved approximately$175 million to new Ethereum addresses following that freeze.

A Pattern of Escalating Crypto Theft

The KelpDAO incident is the second major DeFi attackattributed to North Korean operatives in April 2026 alone. Earlier in themonth, approximately $285 million was drained from Drift Protocol, aSolana-based perpetuals platform, in an operation that involved six months ofpreparation, including malicious insiders attending industry conferences and a$1 million deposit made to build trust within the project.

Together, the two attacks account for approximately $575million in losses within three weeks.

Lazarus has built a sustained record of targetingcryptocurrency infrastructure. In February 2025, the group stole approximately$1.5 billion from Bybit by compromising a software provider for Safe Wallet andredirecting a cold-to-hot wallet transfer. The FBI formally attributed thatattack to North Korean state actors. Prior attributed heists includeapproximately $620 million from the Ronin Network bridge in 2022 and $308million from DMM Bitcoin in 2024.

North Korean hackers stole an estimated $2.02 billion incryptocurrency across all of 2025, a 51% increase year-over-year and a recordfor DPRK-linked theft. That figure represented between 60% and 76% of allglobal service-level crypto theft for the year, despite the group executingfewer individual attacks than in prior years.

The Security Failure Behind the Breach

The KelpDAO crypto hack was not only a state-sponsoredattack. It was also the consequence of a protocol accepting a known securityweakness and leaving it unaddressed.

Cross-chain bridges are among the most attacked surfaces inDeFi. The Ronin, Harmony Horizon, and now KelpDAO breaches all involvedmanipulation of cross-chain verification systems. Security researchersconsistently point to multi-signature requirements, independent RPC nodeauditing, and real-time behavioral monitoring as the primary mitigationsagainst this attack class.

A single-verifier configuration on a bridge holding hundredsof millions in user assets was a risk that had been flagged. The architecturedid not change. The attack succeeded precisely because it did not need to.