KelpDAO Hit by Massive $290 Million Crypto Theft
A sophisticated cyberattack struck the KelpDAO decentralized finance (DeFi) project on Saturday, April 18, 2026, resulting in the theft of approximately $290 million worth of cryptocurrency. Preliminary attribution from blockchain security researchers points to the Lazarus Group, a hacking collective widely believed to be operating under the direction of the North Korean government.
KelpDAO is a DeFi project built on the Ethereum network, centered around the concept of liquid restaking. The platform accepts deposits of ETH from users, restakes those holdings, and returns a liquid token called rsETH that represents each user's restaked position. This token is designed to allow users to continue earning restaking yield while remaining usable across various DeFi applications, including cross-chain transfers facilitated by LayerZero, an inter-blockchain communication protocol and interoperability layer.
How the Attack Unfolded
On April 18, KelpDAO publicly announced that it had detected suspicious cross-chain activity involving rsETH, prompting the project to immediately pause rsETH contracts across the Ethereum mainnet and its Layer 2 networks. An investigation was subsequently launched in collaboration with LayerZero, Unichain, and other partners.
Blockchain data revealed that approximately 116,500 rsETH tokens — valued at roughly $293 million USD — were stolen during the incident. The stolen funds were subsequently routed through Tornado Cash, a cryptocurrency mixing service, in an attempt to obscure the transaction trail and hinder recovery efforts.
Exploiting the Cross-Chain Verification Layer
LayerZero released additional technical details today explaining the precise mechanics of the attack. The threat actors targeted the Decentralized Verifier Network (DVN), the verification layer responsible for validating cross-chain messages for rsETH. The attack was carried out through a multi-step approach:
- Attackers compromised several RPC (Remote Procedure Call) nodes used by the verifier network.
- Falsified blockchain data was fed through the compromised nodes, deceiving the verification layer.
- Simultaneously, the attackers launched distributed denial-of-service (DDoS) attacks against the healthy RPC nodes, forcing the system to rely exclusively on the corrupted, "poisoned" ones.
- This manipulation allowed a fraudulent cross-chain message to be accepted as legitimate by the verification system.
As a result, the protocol confirmed transactions that had never actually occurred on-chain, ultimately enabling the unauthorized transfer of rsETH holdings at massive scale.
Lazarus Group and TraderTraitor Attribution
LayerZero issued a statement directly attributing the attack to a highly capable nation-state threat actor.
"Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK's Lazarus Group, more specifically TraderTraitor,"the protocol stated. LayerZero also clarified that the incident was contained to rsETH specifically and that there was no broader contagion affecting other applications or digital assets on the platform.
Ripple Effects on Lending Protocols
The breach did not remain isolated to KelpDAO alone. The lending protocols Compound, Euler, and Aave were also reportedly affected by the incident. Aave responded by announcing a freeze and blocking new deposits or borrowing activities where rsETH was being used as collateral, a precautionary measure intended to prevent further exposure or cascading losses across its platform.
Part of a Broader North Korean Crypto Campaign
The KelpDAO theft represents one of the largest individual crypto heists recorded so far in 2026. However, it is not an isolated incident when viewed in the context of Lazarus Group's broader activities. The group has also been linked to the theft of $280 million from the Drift Protocol, a separate attack that a post-mortem report described as the product of a six-month-long, meticulously planned operation.
That operation reportedly involved malicious agents physically attending industry conferences and making $1 million deposits into the Drift project to establish credibility before executing the heist — a level of operational sophistication that underscores the patience and resources available to state-sponsored hacking groups like Lazarus.
Growing Threat to DeFi Infrastructure
The KelpDAO breach highlights a critical and growing vulnerability in the DeFi ecosystem: the security of cross-chain communication infrastructure. As DeFi projects increasingly rely on interoperability layers to move assets between blockchains, the verification mechanisms underpinning these transfers become high-value targets for sophisticated adversaries.
The combination of RPC node compromise and simultaneous DDoS attacks used in this incident reflects a level of planning and technical capability consistent with nation-state actors. Security researchers and DeFi developers are likely to scrutinize DVN architectures and multi-node verification schemes more closely in the aftermath of this attack.
KelpDAO's investigation remains ongoing, and additional technical disclosures are expected as the project, LayerZero, and their partners continue to analyze the full scope of the breach.
Source: BleepingComputer