A $290 million exploit on KelpDAO’s cross-chain bridge on April 18, attributed by LayerZero to North Korea’s Lazarus Group, sent shockwaves through DeFi and erased more than $13 billion in total value locked across protocols within 48 hours.
Summary
- Attackers drained 116,500 rsETH worth approximately $290 million from KelpDAO’s LayerZero-powered bridge on April 18 in 2026’s largest DeFi exploit to date.
- LayerZero has attributed the attack with preliminary confidence to North Korea’s Lazarus Group, specifically its TraderTraitor subunit.
- The fallout triggered over $13 billion in outflows from DeFi platforms including Aave, which froze rsETH markets on both its V3 and V4 deployments.
Attackers drained 116,500 rsETH, worth approximately $290 million, from KelpDAO’s LayerZero-powered cross-chain bridge on April 18, in what CoinDesk has called 2026’s largest DeFi exploit to date. LayerZero, whose infrastructure underpinned the bridge, said in a statement Monday that “preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group.”
KelpDAO Hack Triggers $13 Billion DeFi Meltdown
The attack worked by compromising two remote procedure call nodes that LayerZero’s verifier relied on to confirm cross-chain transactions, then flooding backup nodes with junk traffic to force failover to the poisoned endpoints. Once the verifier signed off on a fabricated transaction, the bridge released $290 million in rsETH to an attacker-controlled address. The malware then self-destructed, wiping binaries and logs to frustrate forensic investigation. As crypto.news reported, the exploit triggered over $10 billion in outflows from Aave alone, with the lending protocol’s total value locked dropping from $45.8 billion to $35.7 billion as users scrambled to exit. UPI reported that more than $13 billion was wiped from total value locked across DeFi platforms in the two days following the breach.
LayerZero and KelpDAO Trade Blame Over Security Configuration
A dispute has erupted over who bears responsibility for the vulnerability that made the attack possible. LayerZero said KelpDAO had chosen to operate a 1-of-1 decentralized verifier network configuration, a single point of failure it had repeatedly warned against, and announced it would no longer sign messages for any application using that setup. KelpDAO pushed back, telling CoinDesk its configuration followed LayerZero’s own documented defaults and that the compromised validator was part of LayerZero’s own infrastructure. As crypto.news documented, independent security researchers including a Yearn Finance developer found that LayerZero’s public deployment code ships with single-source verification defaults across every major chain, undercutting the firm’s claim that KelpDAO had deviated from guidance.
What the Hack Means for DeFi Security and Institutional Confidence
The KelpDAO exploit is the second major DeFi breach linked to Lazarus in April alone, following the $285 million Drift Protocol attack on April 1, bringing the group’s total DeFi haul for the month to over $575 million. The attacker has since begun laundering the stolen funds, routing assets through Arbitrum and into Tron-based stablecoins, as crypto.news has tracked. Jefferies has warned that marquee hacks of this scale could temporarily slow Wall Street’s appetite for tokenization projects, as institutions reassess the security risks embedded in DeFi bridge infrastructure. LayerZero said it has confirmed zero contagion to other applications running multi-verifier configurations, but has forced a protocol-wide migration away from single-validator setups.
LayerZero said it is working with KelpDAO, the Security Alliance, and law enforcement agencies to trace the stolen funds, though the attacker’s use of privacy tools has significantly complicated recovery efforts.
