North Korean TraderTraitor Group Suspected in $290M KelpDAO DeFi Hack via Compromised LayerZero RPC Nodes
North Korean threat actor TraderTraitor is suspected in the $290M KelpDAO DeFi hack, which exploited compromised LayerZero RPC nodes rather than a smart contract flaw.
North Korean threat actor TraderTraitor is suspected to be behind the $290 million theft from decentralized finance (DeFi) project Kelp) project KelpDAO, according to an analysis by blockchain security firm Chainalysis and a disclosure from inter-blockchain communication protocol LayerZero. The attack did not exploit a smart contract vulnerability but instead targeted off-chain infrastructure by compromising LayerZero's RPC nodes.
LayerZero revealed that the attackers specifically engineered the heist to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs that the LayerZero Labs DVN relied upon to verify transactions. KelpDAO confirmed in a post on X that two RPC nodes hosted by LayerZero were compromised, while a simultaneous DDoS attack was launched against a third RPC node. The project emphasized that its own systems were not involved in building or operating that infrastructure.
Chainalysis explained that the attackers compromised internal RPC nodes and DDoS'd external nodes to feed false data to a single-point-of-failure verification network (a 1-of-1 DVN setup). This tricked the Ethereum contract into releasing funds based on a phantom token 'burn' on the source chain. The Arbitrum Security Council has temporarily frozen the 30,766 ETH held in the address on Arbitrum One connected to the exploit.
TraderTraitor was previously attributed to the mega Bybit hack in early 2025 that led to the theft of $1.5 billion in digital assets. The Lazarus Group, which shares infrastructure and tactics with TraderTraitor, was also recently linked to the $285 million theft from the Drift Protocol. This pattern of large-scale, infrastructure-focused attacks highlights the evolving sophistication of state-backed crypto heists.
The KelpDAO incident underscores a critical vulnerability in DeFi: the reliance on off-chain infrastructure like RPC nodes and verification networks. As DeFi projects increasingly depend on cross-chain communication protocols, securing these intermediary layers becomes paramount. The attack demonstrates that even robust smart contract security can be undermined by compromising the infrastructure that validates transactions.
In response, the industry is likely to accelerate adoption of decentralized verification networks with multiple independent validators, rather than single-point-of-failure setups. LayerZero has indicated it is reviewing its security architecture to prevent similar compromises. The incident serves as a stark reminder that in the blockchain ecosystem, the chain is only as strong as its weakest off-chain link.