Lazarus stole $290M from KelpDAO by exploiting LayerZero 1-of-1 DVN security
North Korea's Lazarus Group allegedly stole $290 million in rsETH from KelpDAO by abusing a weak LayerZero bridge configuration that relied on a 1-of-1 Decentralized Validator Network (DVN). According to post-incident reporting, the attackers compromised two LayerZero RPC nodes, poisoned data sent to the sole verifier, and used DDoS activity against legitimate RPC endpoints so the verifier would accept malicious data. That approval triggered the release of unbacked rsETH, while the malware reportedly self-destructed afterward to hinder forensic analysis. LayerZero Labs said the single-verifier setup created a clear single point of failure and helped contain the blast radius to KelpDAO's bridge.
Follow-on analysis from Dune Analytics found the KelpDAO design was not an outlier: across roughly 2,665 active LayerZero OApp contracts observed over 90 days, about 47% used a 1-of-1 DVN configuration, 45% used 2-of-2, and only around 5% used 3-of-3 or higher. Researchers and ecosystem observers said the incident highlights structural risk across LayerZero's omnichain infrastructure, where single-validator deployments can expose protocol assets and user funds to bridge compromise. Open data and community analysis were released to scrutinize DVN security standards, while key questions remain about how the attackers obtained the RPC node list and achieved root-level access, including whether the intrusion stemmed from a prior compromise, a breached deployment pipeline, or insider access.
Timeline
Apr 23, 2026
Aave and Arbitrum take mitigation steps after KelpDAO exploit
Following the KelpDAO exploit, Aave partially unfroze WETH on Ethereum Core V3, while Arbitrum's Security Council froze about $71 million in allegedly stolen ETH. The measures were described as responses to the attacker's use of unbacked rsETH as collateral to borrow WETH and the resulting bad-debt risk.
Apr 20, 2026
Dune Analytics publishes LayerZero OApp DVN security analysis
On 2026-04-20, Dune Analytics released an open analysis of roughly 2,665 active LayerZero OApp contracts observed over the prior 90 days. The research found about 47% used a 1-of-1 DVN configuration, 45% used 2-of-2, and around 5% used 3-of-3 or higher, and it published open-source methodology and queryable data for community review.
Apr 20, 2026
LayerZero says KelpDAO used a 1-of-1 DVN configuration
In post-incident analysis published on 2026-04-20, LayerZero Labs said KelpDAO had deployed a 1-of-1 Decentralized Validator Network setup, creating a single point of failure. The company said this limited the blast radius to KelpDAO's bridge rather than the broader LayerZero ecosystem.
Apr 18, 2026
KelpDAO blocks second theft attempt after pausing contracts
After the April 18 exploit, KelpDAO paused affected contracts, blacklisted attacker addresses, and engaged SEAL-911 as part of its incident response. Chainalysis said these actions prevented a second attempted theft of about 40,000 rsETH, worth roughly $95 million.
Apr 18, 2026
Lazarus steals $290M from KelpDAO via LayerZero bridge exploit
On 2026-04-18, attackers attributed to North Korea's Lazarus Group/TraderTraitor allegedly exploited KelpDAO's LayerZero bridge and caused the release of $290 million in unbacked rsETH. The attack reportedly involved compromising two LayerZero RPC nodes, poisoning verifier input, and using DDoS activity against legitimate RPC endpoints so a single verifier would approve a fabricated transaction.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like radar.securityalliance.org
Related Stories
North Korean Hackers Blamed for $290 Million Kelp DAO Crypto Theft
More than **$290 million** in cryptocurrency was stolen from **Kelp DAO** after attackers compromised infrastructure used to verify cross-chain messages and exploited the platform’s `rsETH` configuration. According to LayerZero, the intruders abused Kelp’s single-verifier setup rather than a redundant multi-verifier model, allowing them to mint unbacked `rsETH` and use it as collateral to borrow real **Ether** and stablecoins from other platforms, including **Aave**. LayerZero said preliminary indicators point to North Korea’s **TraderTraitor** group, which is linked to the broader **Lazarus** operation. Kelp DAO disputed LayerZero’s account and argued that LayerZero’s own servers were compromised, setting up a public dispute over responsibility for one of the largest crypto thefts reported this year. LayerZero’s post-mortem said the attackers also used **DDoS** activity against backup systems and self-destructing tools to hinder detection and complete the theft. Law enforcement has been notified, Aave is evaluating remediation, and the incident adds to a long-running pattern of DPRK-linked cryptocurrency thefts that investigators say have generated billions of dollars over the past several years.
3 days ago
Zerion and KelpDAO link security incidents to DPRK TraderTraitor activity
Zerion published a **security incident post-mortem**, and LayerZero later issued a **KelpDAO incident statement**, with both incidents being publicly tied in threat-intelligence discussion to **DPRK** activity. Social-media reporting around the disclosures specifically associated the KelpDAO case with **TraderTraitor**, the North Korean cluster known for targeting cryptocurrency and Web3 organizations through social engineering and wallet compromise. The available references do not provide technical indicators, loss figures, or a detailed attack chain, but they place both disclosures in the context of crypto-focused intrusions attributed to North Korean operators. For CISOs in digital-asset, DeFi, and wallet ecosystems, the incidents reinforce the ongoing risk from DPRK-linked campaigns that exploit trusted workflows, third-party relationships, and user-facing transaction processes to gain access and move funds.
Yesterday
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
Yesterday