KelpDAO Loses $293 Million in Cross-Chain Exploit — North Korean Hackers Behind the Attack, LayerZero Confirms
AAVE
DEFI
ZRO
MM
TORN
DeFi is having one of its worst months on record. KelpDAO, a liquid restaking protocol on Ethereum, was exploited for approximately $293 million on April 18th — with attackers draining 116,500 ETH from the protocol’s rsETH adapter before bridging funds across chains. The attack has since triggered a cascade of consequences across the broader DeFi ecosystem, with Aave seeing over $8.6 billion in outflows and its token dropping more than 15% in the aftermath.
Cyvers Alerts flagged the breach in real time, tracking approximately $293.7 million drained from KelpDAO’s RSETH Adapter. By the time the alert went out, roughly $250 million had already been swapped into ETH and distributed across two chains — approximately $178 million on Ethereum and $72 million on Arbitrum, according to Cyvers. On-chain analysis linked the attacker’s address to Tornado Cash funding, with funds flowing through complex intermediate wallets designed to obscure the trail.
KelpDAO confirmed the incident on X, announcing it had paused rsETH contracts across mainnet and several L2s while investigating.
“We are working with LayerZero, Unichain, our auditors and top security experts on RCA,” the team wrote. “We will keep you posted as we learn more about this situation.”
How the Attack Actually Worked
LayerZero subsequently published its own analysis of the exploit — and the technical detail is as disturbing as the dollar amount.
According to LayerZero, the attackers gained access to the list of RPC servers used by the decentralized verified network operated by LayerZero Labs. They then poisoned two of those servers, forcing them to deliver a fraudulent cross-chain message to the DVN. To ensure the network relied on the compromised servers rather than the clean ones, the attackers simultaneously launched a DDoS attack against the clean infrastructure — effectively knocking out the legitimate servers while the poisoned ones delivered the fake message.
KelpDAO was running a single-path configuration with no redundancy. That meant the fraudulent request went through without challenge — and the bridge unlocked tokens it should never have released. The exploit required a combination of social engineering, infrastructure access, and precise technical execution that bears the hallmarks of a sophisticated state-sponsored operation.
LayerZero confirmed what many in the industry suspected: the attack was carried out by North Korean hackers — specifically the TraderTraitor group, the same threat actors linked to the Ronin hack ($625 million), the Bybit exploit ($1.5 billion in 2025), and the Drift Protocol attack ($280 million) earlier this month. April 2026 is shaping up to be the most expensive month for DeFi security in the industry’s history.
The Aave Contagion
The KelpDAO exploit didn’t stay contained to KelpDAO. The most significant downstream consequence hit Aave — the largest DeFi lending protocol in the world — almost immediately.
rsETH had been widely used as collateral on Aave V3 and V4. Once the exploit became clear, Aave moved to freeze rsETH markets across both versions of the protocol — preventing new deposits and blocking new borrowing against rsETH collateral while the situation was assessed. Aave was explicit that its own contracts had not been exploited.
“This is an exploit related to rsETH,” the protocol stated on X.
The market didn’t wait for clarity. Over two days, Aave’s total value locked collapsed from $26.3 billion to $17.7 billion — a drop of $8.6 billion — according to DefiLlama data. The AAVE token fell more than 15%, dropping from approximately $106 to $90. Market capitalization declined from $1.8 billion to $1.3 billion.
According to Lookonchain, the operation left the ecosystem with approximately $195 million in irrecoverable bad debt — funds that cannot be returned regardless of how the situation resolves. Experts have noted that Aave and connected protocols are now sitting on hundreds of millions in questionable collateral positions — a structural problem that will take time to unwind even after the immediate crisis passes.
Aave subsequently updated its position, confirming that rsETH on Ethereum mainnet is fully backed. However, rsETH remains frozen across Aave V3 and V4 as a precaution, with WETH reserves also frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea.
“Aave is actively validating information and assessing potential resolutions. If the protocol accumulates bad debt from this incident, we’ll explore paths to offset the deficit.”
What KelpDAO Is and Why It Mattered
KelpDAO is a liquid restaking protocol built on Ethereum designed to maximize yields for stakers. It allows users to deposit liquid staking tokens — such as stETH — and receive rsETH in return, a token that earns rewards simultaneously from Ethereum staking and EigenLayer restaking services. The combination of staking yields and restaking rewards made rsETH an attractive asset for DeFi power users, and its wide adoption as collateral across lending protocols created exactly the kind of systemic exposure that made this exploit so damaging beyond KelpDAO itself.
When rsETH’s integrity was compromised, every protocol that had accepted it as collateral was suddenly holding an asset of uncertain value. The ripple effect was immediate and severe.
The Bigger Picture: DeFi’s Security Crisis
April 2026 has now produced two of the largest DeFi exploits in recent history within weeks of each other. Drift Protocol lost $280 million on April 1st. KelpDAO has now lost $293 million on April 18th. Both attacks have been linked to North Korean state-sponsored hacking groups with overlapping infrastructure and methodology.
The pattern is consistent: sophisticated identity construction, infrastructure access rather than smart contract vulnerabilities, and rapid cross-chain dispersal of funds before any intervention is possible. The $195 million in irrecoverable bad debt from the KelpDAO exploit will sit on DeFi’s balance sheet regardless of what happens next — a permanent reminder that the industry’s security assumptions are being stress-tested at a scale and frequency it has never faced before.
ZachXBT, whose on-chain investigation confirmed the North Korean attribution, has noted that the industry needs to fundamentally rethink how it approaches security architecture — not just at the protocol level, but across the entire stack of bridges, oracles, RPC infrastructure, and DVN configurations that modern DeFi depends on.
The investigation is ongoing. KelpDAO has not yet disclosed a recovery plan.
