LayerZero Attributes $290M Kelp DAO Hack to North Korea's Lazarus Group

VADODARA, April 20, 2026. The following report is based on currently available verified source material and market data.

Hook Paragraph

Data Summary

The hack resulted in estimated damages of $290 million, according to LayerZero's public statement. The attack exploited a security configuration issue within Kelp DAO's specific application setup, not a fundamental flaw in the LayerZero protocol itself. No other assets or applications were affected. LayerZero has since replaced the compromised RPC nodes and restored normal service.

Why It Matters

Why now? This incident occurs amid heightened regulatory scrutiny and market volatility, with global crypto sentiment at "Fear" levels. The attribution to Lazarus, a known North Korean entity, escalates the geopolitical stakes of DeFi security breaches.

Who benefits? Lazarus group directly benefits from the stolen funds, which are often used to fund North Korean state activities. Security researchers and protocol auditors may see increased demand. Kelp DAO users and rsETH holders suffer immediate financial losses.

Time horizons: Short-term, DeFi protocols face increased scrutiny and potential liquidity withdrawals. Long-term, this may accelerate industry-wide adoption of multi-validator security frameworks and enhanced operational security practices.

Causal chain: Lazarus group targets Kelp DAO's single-validator setup → compromises LayerZero's RPC infrastructure via DDoS and node replacement → redirects system to malicious nodes → executes $290M exploit → triggers security reassessments across DeFi.

Mechanism Breakdown

The attackers used a sophisticated method to compromise the underlying RPC infrastructure of LayerZero Labs' Decentralized Verification Network (DVN). They hacked two independent RPC nodes, replaced them with malicious binaries, and launched a distributed denial-of-service (DDoS) attack on normal nodes to redirect the system to the compromised ones. This allowed them to bypass security checks and execute the exploit on Kelp DAO's rsETH, which was using a single-validator structure despite LayerZero's previous recommendation for a multi-DVN setup with multiple validators.

Industry Comparison

This incident highlights ongoing security challenges in cross-chain interoperability and DeFi:

• Cross-chain bridges remain high-value targets due to their central role in asset transfers between blockchains.
• Nation-state actors like Lazarus continue to evolve tactics, focusing on infrastructure-level attacks rather than smart contract exploits alone.
• Security configuration issues, as seen here, often prove more critical than protocol flaws in real-world attacks.

Risks & Counterpoints

Several uncertainties and bearish scenarios warrant consideration:

• Attribution uncertainty: While LayerZero attributes the hack to Lazarus, independent confirmation from cybersecurity firms or government agencies is not provided in source data.
• Broader vulnerability: If the attack method can be replicated, other protocols using similar RPC infrastructure could be at risk.
• Regulatory backlash: High-profile hacks attributed to state actors may prompt stricter regulations on cross-chain protocols and DeFi operations.

Future Implications

In the near term, DeFi protocols are likely to accelerate audits of their RPC and validator configurations. Insurance providers may adjust premiums for protocols using single-validator setups. LayerZero's collaboration with authorities worldwide to track stolen funds could set precedents for cross-jurisdictional recovery efforts in crypto hacks.

Background

LayerZero is a cross-chain interoperability protocol that enables message passing between different blockchains. Kelp DAO is a decentralized autonomous organization focused on liquid staking derivatives, with rsETH being its wrapped staked Ethereum token. The Lazarus group, linked to North Korea, has been implicated in numerous high-profile crypto hacks over the past decade, often targeting DeFi protocols and exchanges to circumvent international sanctions.

Related Developments

This hack occurs alongside several relevant industry developments:

• Aave's TVL dropped significantly following the Kelp DAO incident, highlighting broader DeFi liquidity concerns.
• Recent reports emphasize the need for stronger operational security in Web3 to combat sophisticated attacks.
• Upcoming policy summits are focusing on crypto regulation amid market challenges.
• VCs are reassessing Web3 investments as security risks impact funding decisions.

Conclusion

The $290M Kelp DAO hack attributed to Lazarus represents a significant escalation in DeFi security threats, combining sophisticated infrastructure attacks with nation-state backing. While LayerZero has contained the immediate technical breach, the incident critical vulnerabilities in cross-chain security configurations and the urgent need for industry-wide operational hardening.

Frequently Asked Questions

Q1: What was stolen in the Kelp DAO hack?The hackers exploited Kelp DAO's rsETH (wrapped staked Ethereum) for an estimated $290 million.

Q2: How did Lazarus group execute the attack?They compromised LayerZero's RPC infrastructure by hacking nodes, replacing them with malicious binaries, and using DDoS attacks to redirect system traffic.

Q3: Was the LayerZero protocol itself hacked?No. LayerZero stated this was a security configuration issue with Kelp DAO's specific application, not a flaw in the protocol.

Q4: What has LayerZero done in response?They replaced compromised RPC nodes, restored normal service, and are working with authorities worldwide to track stolen funds.

Q5: Could this happen to other protocols?Protocols using similar single-validator setups without multi-DVN configurations may be vulnerable to similar infrastructure-level attacks.

Q6: What is the current market impact?Bitcoin is trading at $74,466 (down 1.44% in 24h) with global crypto sentiment at "Fear" (score 29/100).

Analysts are watching for further attribution details from cybersecurity firms and regulatory responses to state-sponsored crypto attacks.

What to watch next: LayerZero was the cross-chain bridge utilized by the hackers in the incident yesterday.; exchange-level volume and liquidity data.