Crypto industry rocked by $290M Kelp DAO exploit, North Korea's Lazarus Group suspected

Published: 20 April 2026
Last updated: 20 April 2026
North Korean hacker shadow, flag in the background
North Korean hacker. Image by Fotogrin | Shutterstock

A $290 million theft from Kelp DAO on Saturday has left the decentralized finance (DeFi) industry in panic.

The so-called restaking platform Kelp said they were forced to pause the rsETH (restaked ether) token's contracts after "suspicious cross-chain activity" was identified on Saturday. It seems that the criminals have stolen 116,500 rsETH from a LayerZero protocol-powered so-called blockchain bridge, used to help blockchains communicate with each other.

While Kelp hasn't provided any other updates since the incident, the team behind LayerZero suggested in an update on Monday morning that this attack might have been executed by "a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor."

ADVERTISEMENT

The team claims that this incident was isolated to Kelp DAO’s rsETH configuration and there is zero contagion to any other cross-chain assets or applications.

"The subject of this highly sophisticated attack was the poisoning of the downstream RPC [remote procedure call] infrastructure used by the LayerZero Labs DVN [decentralized verifier network, used to verify the integrity of cross-chain messages]. All affected RPC nodes have been deprecated and replaced, and the LayerZero Labs DVN is now live," the team said.

It pointed out that the attack was possible due to Kelp's single-DVN setup, while the industry best practice is to configure a multi-DVN setup with diversity and redundancy, so no single DVN becomes a single point of failure.

Meanwhile, the incident is not as isolated as LayerZero says.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

A developer of the DeFi data platform DeFiLlama, 0xngmi, said that the rsETH hack is leading to billions of withdrawals across all lending protocols, even on the Solana blockchain and unaffected protocols. This was another reminder of how the interconnectedness in DeFi is a risk for the whole industry.

Curve Finance founder Michael Egorov concluded that non-isolated lending in DeFi is very risky and urged users to use cross-chain infrastructure only when it's "absolutely necessary, and do it REALLY carefully."

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT