Lazarus Group Tied To $292M Kelp DAO Hack As LayerZero Points To Config Flaw

Cross-chain messaging firm LayerZero(ZRO) has attributed the $292 million Kelp DAO exploit to North Korea's Lazarus Group, pointing to a single-verifier setup.

Kelp DAO Exploit Details

The company released a post-mortem on Apr. 20 tied to the Apr. 18 drain of 116,500 rsETH(RSETH) from Kelp's bridge, per a statement carried by Binance News.

LayerZero said attackers, tied to Lazarus subgroup TraderTraitor, poisoned downstream RPC infrastructure. They seized control of some nodes, then used DDoS traffic to redirect the system to malicious endpoints and forge cross-chain transactions.

The firm stressed that the breach was limited to Kelp's rsETH application, which ran a single decentralized verifier network, or DVN, instead of the recommended multi-DVN setup. Affected RPC nodes have been swapped out, and the DVN is back online.

Also Read:Bitcoin At $74,900 — Is This The Floor Before The Next Rally Or A Ledge Before A Drop?

Lazarus Attack Fallout

Onchain sleuth ZachXBT first flagged the breach, noting attacker wallets were pre-funded through Tornado Cash. Cyvers CEO Deddy Lavid said the hit shows the risks of DeFi composability.

LayerZero is now accelerating the migration of single-DVN apps to multi-DVN setups and has paused signing for 1-of-1 configurations.

The incident is 2026's largest DeFi hack so far. It follows the Apr. 1 drain of roughly $285 million from Solana-based Drift Protocol, also tied to North Korea-linked actors, part of a two-week stretch that has seen more than $600 million leave DeFi across over ten protocols.

Read Next:The Meme Coin That Shot Into Orbit — Asteroid Shiba's 600% Mystery Explained