North Korea's Lazarus Group Blamed for $293M KelpDAO Crypto Heist Exploiting LayerZero DVN Weakness
North Korea's Lazarus Group is accused of stealing $293 million from liquid restaking protocol KelpDAO by exploiting a single-point-of-failure configuration in LayerZero's cross-chain messaging infrastructure.
State-backed hackers from North Korea's Lazarus Group are the prime suspects behind the largest cryptocurrency heist of 2026 so far, after liquid restaking protocol KelpDAO was drained of approximately $293 million over the weekend. The attack, which targeted the platform's cross-chain messaging infrastructure, has sparked a blame game between KelpDAO and the LayerZero protocol it relies on, while highlighting critical security weaknesses in decentralized finance (DeFi) bridge configurations.
The heist unfolded on April 18 when threat actors stole 116,500 rsETH tokens — a liquid token issued by KelpDAO in exchange for Liquid Staking Tokens (LSTs) like stETH, ETHx, or sfrxETH. The stolen funds were quickly funneled through Tornado Cash, a cryptocurrency mixer often used to obfuscate transaction trails. KelpDAO identified "suspicious cross-chain activity involving rsETH" on Saturday and immediately paused all operations.
According to LayerZero, the attackers specifically targeted its Decentralized Verifier Network (DVN) infrastructure. DVNs are independent entities responsible for verifying the integrity of cross-chain messages. The Lazarus Group gained access to the list of RPCs (Remote Procedure Call nodes) used by LayerZero's DVN, compromised two of them — independent nodes running on separate clusters — and swapped out binaries running the op-geth nodes. However, due to least-privilege principles, the attackers could not compromise the actual DVN instances directly.
Instead, the attackers executed a sophisticated RPC-spoofing attack. They first launched a DDoS attack against the non-compromised RPCs, triggering a failover to the poisoned nodes. This allowed them to send a forged cross-chain message that was accepted as valid, enabling the unauthorized transfer of rsETH. LayerZero emphasized that the attack was only possible because KelpDAO operated a single-DVN configuration, contradicting LayerZero's best practice advice to use multiple independent DVNs for consensus.
"Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message. LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO," LayerZero stated. "Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration. A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised."
Fortunately, approximately $71 million of the stolen funds — around 30,766 ETH — was frozen by Arbitrum's Security Council, which stepped in to mitigate the damage. The recovery represents about a quarter of the total stolen amount, offering some relief to affected users.
Security experts noted that the attack demonstrates Lazarus Group's increasingly sophisticated operational capabilities. "These environments are not being tested by smash and grab actors, they are being pressured by disciplined adversaries who understand how to chain together weak points across infrastructure, applications, and trust relationships," said Pete Luban, CISO at AttackIQ. "Groups like Lazarus are not just walking away richer, they are walking away better, with more resources to scale tooling, refine techniques, and reinvest in future campaigns."
Nick Tausek, lead security automation architect at Swimlane, added that the attack followed a familiar North Korean pattern of "patient intrusion, manipulation of trust, and detection suppression." He warned that by compromising infrastructure tied to LayerZero's verifier role, the attackers stepped into a trusted position in the transaction flow and abused that trust to push forged messages downstream. "That's what makes third-party breaches so dangerous in crypto: the blast radius rarely stops with the initial victim," Tausek said.
The KelpDAO heist underscores the critical importance of robust cross-chain security configurations in DeFi, where a single misconfiguration can lead to catastrophic losses. As the industry continues to grapple with the aftermath, the incident serves as a stark reminder that even the most sophisticated protocols are only as secure as their weakest link.