June 25, 2026
June 25, 2026

$292 Million Kelp DAO Hack: North Korea Suspected in Largest DeFi Exploit of 2026

Global – A sophisticated $292 million exploit of Kelp DAO’s cross-chain bridge has rocked decentralized finance, with blockchain analysts attributing the April 18, 2026, heist to North Korea’s notorious Lazarus Group, exposing critical flaws in verification systems amid a wave of recent DeFi attacks.

At 17:35 UTC on April 18, attackers drained 116,500 rsETH (restaked ether)—about 18% of the token’s circulating supply—from Kelp DAO’s LayerZero-powered bridge, valued at roughly $292 million. Kelp DAO’s emergency pauser multisig halted core contracts 46 minutes later, blocking two follow-up drain attempts targeting an additional 40,000 rsETH.

 

 

Anatomy of the Attack: RPC Poisoning and DDoS Takedown

The breach hinged on a “1-of-1 verifier configuration” in Kelp DAO’s setup, which relied on LayerZero’s Decentralized Verifier Network (DVN) for cross-chain message validation. Hackers compromised RPC (Remote Procedure Call) nodes feeding data into the system, deploying malicious binaries to forge transaction proofs.

A coordinated DDoS attack then overwhelmed remaining RPCs, forcing failover to the poisoned infrastructure and approving unbacked rsETH minting. LayerZero confirmed its core protocol remained intact but stressed that multi-DVN setups—industry best practice—could have prevented the exploit.

Rather than dumping stolen assets, the attacker deposited 89,567 rsETH into Aave as collateral, borrowing ~$190 million in ETH and related tokens across Ethereum and Arbitrum—prolonging exposure before blacklisting.

 

 

Lazarus Group Fingerprints and DeFi’s Dark April

Security firms and LayerZero pinned the attack on TraderTraitor, a Lazarus subgroup responsible for numerous crypto thefts, including a prior $285 million Drift Protocol hack weeks earlier—totaling over $500 million in DeFi losses. Lazarus, linked to North Korea’s state-sponsored operations, accounted for 59% of 2025’s crypto thefts through social engineering and infrastructure compromises.

This marks 2026’s largest DeFi exploit to date, compounding investor unease across Ethereum and 20+ Layer-2 networks.

 

 

Recovery Efforts Underway: DeFi United’s $300M Pledge

DeFi protocols rallied via DeFi United, committing over $300 million in ETH to restore rsETH backing. The multi-phase plan includes:

  • Converting pledged ETH into rsETH tranches for the affected lockbox contract.
  • Controlled liquidations on Aave (recovering 13,000 ETH from eight positions) and Compound (16,776 ETH).
  • Temporary oracle price adjustments, governance approvals, and staged security checks before resuming bridge operations.

Aave and others will unfreeze markets and reset loan-to-value ratios upon completion.

 

 

Wake-Up Call for DeFi Infrastructure

Experts warn the incident underscores vulnerabilities in single-verifier bridges and RPC dependencies, urging protocols to adopt diversified verification and robust failover mechanisms. As DeFi TVL hovers near all-time highs, the hack tests the ecosystem’s maturity ahead of intensified institutional scrutiny.



 

 

Disclaimers: All contents in this article are for informational purposes only and does not constitute any form of advice.Third-party websites and their content are provided for informational purposes and user convenience only. Rola News does not control, endorse, or assume responsibility for any Third-party websites, including their content, accuracy, privacy practices, or any subsequent changes or updates made to them. This article is AI-assisted and has been reviewed by our editorial team.