North Korean Hackers Blamed for $290 Million Kelp DAO Crypto Theft
More than $290 million in cryptocurrency was stolen from Kelp DAO after attackers compromised infrastructure used to verify cross-chain messages and exploited the platform’s rsETH configuration. According to LayerZero, the intruders abused Kelp’s single-verifier setup rather than a redundant multi-verifier model, allowing them to mint unbacked rsETH and use it as collateral to borrow real Ether and stablecoins from other platforms, including Aave. LayerZero said preliminary indicators point to North Korea’s TraderTraitor group, which is linked to the broader Lazarus operation.
Kelp DAO disputed LayerZero’s account and argued that LayerZero’s own servers were compromised, setting up a public dispute over responsibility for one of the largest crypto thefts reported this year. LayerZero’s post-mortem said the attackers also used DDoS activity against backup systems and self-destructing tools to hinder detection and complete the theft. Law enforcement has been notified, Aave is evaluating remediation, and the incident adds to a long-running pattern of DPRK-linked cryptocurrency thefts that investigators say have generated billions of dollars over the past several years.
Timeline
Apr 28, 2026
DeFi United publishes technical rsETH recovery plan
DeFi United outlined a technical plan to restore rsETH backing after the Kelp DAO exploit, including governance proposals, temporary oracle changes, and controlled liquidations targeting about 107,000 rsETH in attacker-linked Aave and Compound positions. The coalition said it had secured recapitalization commitments in tranches, while LayerZero Labs pledged more than 10,000 ETH through direct support and Aave liquidity assistance.
Apr 24, 2026
DeFi United reports recovery pledges and Mantle loan proposal
By April 24, the Kelp- and Aave Labs-led 'DeFi United' recovery effort said 73,700 ETH of the exploit-related shortfall had been filled and public commitments totaled 43,500 ETH, leaving about 89,500 ETH outstanding. The update also said Mantle proposed a loan of up to 30,000 ETH to Aave DAO to help address the remaining bad debt, with public support from Bybit CEO Ben Zhou and other DeFi participants.
Apr 21, 2026
Aave partially reopens WETH supply after emergency freeze
On April 21, Aave partially rolled back emergency controls imposed after the Kelp DAO exploit by reopening WETH supply on its Ethereum Core V3 market. WETH collateralization remained disabled and other affected markets stayed frozen while the protocol continued managing contagion risk and potential bad debt.
Apr 21, 2026
Arbitrum freezes 30,766 ETH tied to KelpDAO exploit
Arbitrum said its Security Council used emergency powers to freeze about 30,766 ETH, worth more than $71 million, linked to the KelpDAO exploit after receiving identity information about the exploiter from law enforcement. The action marked a concrete containment step beyond the earlier general law-enforcement response.
Apr 20, 2026
LayerZero ends support for single-verifier message signing
In response to the Kelp DAO exploit, LayerZero said it will stop signing messages for applications using a single-verifier setup. The move forces affected applications to migrate away from the 1-of-1 DVN model criticized after the theft.
Apr 20, 2026
Fluid and partners launch aWETH Redemption Protocol
Following the Kelp DAO exploit's impact on Aave's fully utilized WETH market, Fluid and partners including Lido, Ether.fi, 1inch, 0x, and Kyber launched an emergency aWETH Redemption Protocol to let users swap stuck aWETH exposure into wstETH or weETH collateral. The mechanism was built in under 24 hours and processed 58,510 aWETH, about $136 million, within its first 48 hours, though it did not reduce Aave's modeled bad debt.
Apr 20, 2026
Aave estimates $123.7M-$230.1M bad debt from Kelp exploit
Aave service providers published an incident report stating that 89,567 stolen rsETH were deposited across seven attacker-controlled wallets and estimating potential bad debt of $123.7 million to $230.1 million depending on loss allocation and oracle updates. The report also recommended immediately pausing Aave's Umbrella WETH safety module while mitigation efforts were coordinated.
Apr 20, 2026
Law enforcement and Aave begin response to Kelp theft
Following disclosure of the incident, law enforcement became involved and Aave began assessing remediation related to the stolen funds and downstream impact. These actions marked the initial external response to the theft.
Apr 20, 2026
Kelp DAO disputes LayerZero's account of the breach
After LayerZero's attribution, a Kelp source rejected the claim that its configuration choices were to blame and instead said LayerZero's own servers were compromised. The dispute highlighted conflicting explanations for how the theft occurred.
Apr 20, 2026
LayerZero publicly attributes Kelp theft to North Korea
By Monday, LayerZero said preliminary indicators linked the theft to North Korea's TraderTraitor group, associated with the Lazarus operation. Its post-mortem said the incident was isolated to Kelp and argued Kelp had not adopted LayerZero's recommended multi-DVN redundancy.
Apr 18, 2026
Kelp DAO pauses rsETH contracts and blocks further theft attempts
After detecting suspicious cross-chain rsETH activity, Kelp DAO paused rsETH contracts on Ethereum mainnet and several Layer 2 networks while investigating the April 18 exploit. The freeze reportedly blocked two additional attempted thefts totaling roughly $100 million.
Apr 18, 2026
Hackers steal more than $290 million from Kelp DAO
Over the weekend, attackers stole more than $290 million in cryptocurrency from Kelp DAO by compromising infrastructure used to verify cross-chain messages and exploiting Kelp's single-verifier configuration for rsETH. The attackers minted unbacked rsETH and used it as collateral to borrow real Ether and stablecoins from platforms including Aave.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
5 more from sources like archive.md, slowmist.medium.com, teiss news and thedefiant
Related Stories
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
Yesterday
Lazarus stole $290M from KelpDAO by exploiting LayerZero 1-of-1 DVN security
North Korea's **Lazarus Group** allegedly stole **$290 million** in `rsETH` from **KelpDAO** by abusing a weak **LayerZero** bridge configuration that relied on a **1-of-1 Decentralized Validator Network (DVN)**. According to post-incident reporting, the attackers compromised two LayerZero RPC nodes, poisoned data sent to the sole verifier, and used DDoS activity against legitimate RPC endpoints so the verifier would accept malicious data. That approval triggered the release of unbacked `rsETH`, while the malware reportedly self-destructed afterward to hinder forensic analysis. LayerZero Labs said the single-verifier setup created a clear single point of failure and helped contain the blast radius to KelpDAO's bridge. Follow-on analysis from **Dune Analytics** found the KelpDAO design was not an outlier: across roughly **2,665 active LayerZero OApp contracts** observed over 90 days, about **47%** used a **1-of-1** DVN configuration, **45%** used **2-of-2**, and only around **5%** used **3-of-3 or higher**. Researchers and ecosystem observers said the incident highlights structural risk across LayerZero's omnichain infrastructure, where single-validator deployments can expose protocol assets and user funds to bridge compromise. Open data and community analysis were released to scrutinize DVN security standards, while key questions remain about how the attackers obtained the RPC node list and achieved root-level access, including whether the intrusion stemmed from a prior compromise, a breached deployment pipeline, or insider access.
1 weeks ago
Zerion and KelpDAO link security incidents to DPRK TraderTraitor activity
Zerion published a **security incident post-mortem**, and LayerZero later issued a **KelpDAO incident statement**, with both incidents being publicly tied in threat-intelligence discussion to **DPRK** activity. Social-media reporting around the disclosures specifically associated the KelpDAO case with **TraderTraitor**, the North Korean cluster known for targeting cryptocurrency and Web3 organizations through social engineering and wallet compromise. The available references do not provide technical indicators, loss figures, or a detailed attack chain, but they place both disclosures in the context of crypto-focused intrusions attributed to North Korean operators. For CISOs in digital-asset, DeFi, and wallet ecosystems, the incidents reinforce the ongoing risk from DPRK-linked campaigns that exploit trusted workflows, third-party relationships, and user-facing transaction processes to gain access and move funds.
Yesterday