Kelp DAO Exploited for $292 Million in Major DeFi Attack Linked to Lazarus Group

This incident highlights systemic risks in DeFi infrastructure, particularly in cross-chain operations, which could lead to significant financial losses for investors.

• On April 18, 2026, Kelp DAO's LayerZero-powered rsETH bridge was exploited, resulting in a theft of 116,500 rsETH tokens valued at approximately $292 million.
• The attack, attributed to North Korea's Lazarus Group, involved compromising RPC nodes and executing a DDoS assault that forced reliance on a single compromised verifier.
• Kelp DAO halted operations within 46 minutes, preventing additional losses estimated at $200 million and triggering widespread disruptions in the DeFi ecosystem.

• Kelp DAO facilitates liquid restaking by accepting ETH deposits and issuing rsETH as a receipt token, relying on LayerZero's technology for cross-chain transfers.
• Cross-chain bridges have historically been vulnerable due to their reliance on decentralized verifier networks, making them attractive targets for attackers.
• Lazarus Group has a documented history of cryptocurrency thefts, often targeting DeFi protocols to fund state activities and circumvent sanctions.

On April 18, 2026, at approximately 17:35 UTC, a sophisticated attack unfolded against Kelp DAO's LayerZero-powered rsETH bridge. Attackers compromised two RPC nodes utilized by LayerZero's verifier, deploying malware that relayed falsified transaction data. This was coupled with a concurrent DDoS attack that neutralized remaining RPC providers, forcing Kelp DAO to rely on a single compromised verifier in its decentralized verifier network (DVN) setup. This critical failure allowed the attackers to approve a fraudulent cross-chain message, resulting in the unauthorized release of 116,500 rsETH from the bridge reserve.

Kelp DAO's emergency response was swift; operations were halted within 46 minutes of the initial breach, effectively thwarting two subsequent drain attempts. However, the damage was already significant, with stolen funds being laundered through Aave and other protocols, leading to liquidity crises across the DeFi landscape. The aftermath saw Arbitrum Security Council freezing 30,766 ETH (approximately $71 million) linked to the exploit, while Aave faced potential bad debt of $230 million, prompting massive withdrawals and a $13 billion decline in DeFi total value locked (TVL) over just two days.

LayerZero's response included terminating support for single-verifier configurations, a move aimed at preventing similar exploits in the future. However, Kelp DAO contested LayerZero's account of the incident, arguing that the default infrastructure settings contributed to the breach. This incident has raised questions about the security protocols in place for cross-chain bridges and the inherent risks associated with decentralized finance.

The implications of this exploit extend beyond Kelp DAO and LayerZero, affecting the broader DeFi ecosystem. Investors are now more cautious, and protocols are likely to reassess their security measures to prevent similar incidents. The exploit serves as a stark reminder of the vulnerabilities that exist within the rapidly evolving DeFi space, where the balance between innovation and security remains precarious.

• DeFi investors: Those holding assets in protocols like Kelp DAO and Aave may experience immediate financial impacts due to liquidity crises and potential losses.
• Developers and protocol teams: Increased scrutiny on security measures may lead to heightened operational costs and changes in development priorities.
• Regulatory bodies: As incidents like this gain attention, regulators may push for stricter compliance and security standards in the DeFi space.

• Security audits: Increased demand for comprehensive security audits of DeFi protocols could emerge, influencing operational costs and timelines.
• Market reactions: Watch for shifts in investor sentiment and capital flows within DeFi, particularly in response to security incidents.
• Regulatory developments: Potential regulatory responses to enhance security standards in DeFi could reshape the landscape, impacting how protocols operate.