LayerZero Indicates Lazarus Group Probably Responsible for Kelp DAO Breach

LayerZero has linked the Kelp DAO exploit to North Korea’s Lazarus Group, pinpointing a single-point-of-failure in the protocol’s verifier configuration as the technical flaw that enabled the attack.

The incident resulted in an estimated loss of $292 million from Kelp DAO’s rsETH pool on April 18, marking it as the largest DeFi hack of 2026 thus far – and caused the total value locked in the DeFi sector to decline by 7% within 24 hours to $85 billion, as reported by DefiLlama.

DeFi Total Value Locked / Source: DefiLlama

This attribution is not presented as a definitive conclusion but rather as a probabilistic assertion: LayerZero indicates that Lazarus is the probable culprit, rather than a confirmed one. The implications of this distinction for the protocol, its users, and the cross-chain security framework is the focus of this report.

Key Takeaways:

• Attribution source: LayerZero carried out the post-incident analysis and identified North Korea’s Lazarus Group – specifically the TraderTraitor subgroup – as the probable attacker.
• Technical root cause: Kelp DAO utilized a 1-of-1 DVN (single decentralized verifier node) configuration, disregarding LayerZero’s repeated advice for multi-verifier redundancy.
• Exploit amount: Approximately $292 million was siphoned from Kelp DAO’s rsETH pool; no LayerZero protocol code or private keys were compromised.
• Market impact: DeFi TVL decreased by 7% in 24 hours to $86 billion following the event.
• Response: LayerZero decommissioned the affected RPC nodes and reinstated full DVN operations; collaboration with law enforcement for fund tracing is ongoing.
• Watch: Whether Kelp DAO will announce a compensation mechanism and if other cross-chain protocols using single-DVN setups will take action to prevent future attacks.

Discover: The best pre-launch token sales

LayerZero’s Kelp DAO Lazarus Findings: Understanding the Implications of a Single-Point Failure in Cross-Chain Architecture

The exploit was executed through a multi-step and precise approach. Attackers compromised the RPC infrastructure supporting LayerZero’s decentralized verifier network, then initiated a DDoS attack aimed at forcing a failover to compromised backup nodes.

With the verifier network redirected, the system validated fraudulent cross-chain transactions, resulting in $292 million in rsETH being withdrawn from Kelp DAO’s pool before the deception was uncovered.

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…

— Kelp (@KelpDAO) April 18, 2026

The critical factor: Kelp DAO operated a 1-of-1 DVN configuration, meaning a single verifier node was the sole barrier between the protocol and a catastrophic failure. LayerZero had flagged this architecture as insufficient – multiple times, according to the investigation – and recommended a multi-DVN setup in line with industry best practices for redundancy. Kelp DAO did not implement those suggestions.

A multi-DVN configuration would have necessitated that attackers compromise several independent verification nodes at once, which would have been a significantly more challenging technical task. The 1-of-1 setup eliminated that barrier entirely. As Ripple CTO David Schwartz remarked on X: “The attack was way more sophisticated than I expected and aimed at LayerZero infrastructure taking advantage of KelpDAO laziness.”

LayerZero’s response was precise: the team decommissioned all affected RPC nodes after the incident and fully restored DVN operations without broader repercussions for other protocols utilizing the same infrastructure. No LayerZero protocol code was compromised. No private keys were exposed. The failure was architectural, not foundational – a distinction that is crucial for the protocol’s credibility but does not aid in recovering the $292 million.

Why North Korea Attribution Alters the Threat Model for All of DeFi

LayerZero’s attribution of the Lazarus Group to the Kelp DAO incident, framed as likely rather than confirmed, aligns with a recognized and escalating trend.

The TraderTraitor subgroup, a known operational unit of Lazarus, was preliminarily identified during the forensic analysis. LayerZero is actively working with global law enforcement on fund tracing, indicating that the attribution holds enough evidentiary significance to warrant state-level investigative resources.

lazarus stole $7B+ since the beginning of crypto
7 fucking billion
how do you even cash that out?

— nairolf (@0xNairolf) April 20, 2026

Lazarus has been linked to some of the largest crypto thefts on record, including the $625 million Ronin Network hack in 2022 and a series of DeFi protocol exploits that have collectively funneled billions into North Korea’s weapons programs, according to assessments from the U.S. Treasury and the UN.

North Korea’s cryptocurrency operations extend well beyond direct exploits – the regime has also embedded operatives within Web3 companies under false identities, a parallel strategy that broadens the attack surface beyond infrastructure alone.

Cross-chain protocols are inherently appealing targets for this type of actor. They exist at high-value intersections between multiple chains, often holding pooled liquidity that surpasses any single application’s balance, and their security relies on verifier networks that can become single points of failure when misconfigured. RPC poisoning as a tactic against verifier networks signifies a new escalation – one that security researchers now recognize as documented and replicable.

Discover: The best crypto to diversify your portfolio with

The post LayerZero Says Lazarus Group Likely Behind Kelp DAO Exploit appeared first on Cryptonews.