Full Report
State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday. [...]
Analysis Summary
# Incident Report: Lazarus Group Exploitation of KelpDAO/LayerZero Infrastructure
## Executive Summary
KelpDAO, a liquid restaking DeFi protocol, suffered a $290 million theft orchestrated by the North Korean state-sponsored Lazarus Group (specifically the "TraderTraitor" subgroup). The attackers manipulated cross-chain verification mechanisms by poisoning RPC nodes and launching DDoS attacks, allowing them to authorize fraudulent cross-chain transfers of rsETH. The incident prompted emergency freezes across multiple DeFi protocols including Aave, Compound, and Euler.
## Incident Details
- **Discovery Date:** April 18, 2026
- **Incident Date:** April 18, 2026
- **Affected Organization:** KelpDAO (impact also felt by LayerZero, Aave, Compound, Euler)
- **Sector:** Decentralized Finance (DeFi) / Web3 Infrastructure
- **Geography:** Global / Distributed
## Timeline of Events
### Initial Access
- **Date/Time:** April 18, 2026
- **Vector:** Infrastructure Compromise / RPC Node Poisoning
- **Details:** Attackers gained unauthorized access to specific RPC (Remote Procedure Call) nodes used by the Decentralized Verifier Network (DVN) responsible for validating cross-chain messages.
### Lateral Movement
- **Movement:** Attackers did not move through a traditional enterprise network but moved horizontally across infrastructure layers, transitioning from compromised RPC nodes to the message verification layer of the LayerZero protocol.
### Data Exfiltration/Impact
- **Impact:** Fraudulent cross-chain messages were validated, authorizing the illicit transfer of approximately 116,500 rsETH.
- **Laundering:** Stolen funds were routed through Tornado Cash to obfuscate the transaction trail.
### Detection & Response
- **Detection:** KelpDAO detected "suspicious cross-chain activity" involving the rsETH token.
- **Response:** KelpDAO paused rsETH contracts on Ethereum mainnet and Layer 2s; Aave froze rsETH-related markets and blocked new deposits/borrowing.
## Attack Methodology
- **Initial Access:** Compromise of RPC nodes used by verifiers.
- **Persistence:** Not explicitly detailed; likely maintained via control of infrastructure nodes.
- **Privilege Escalation:** Manipulation of the verification layer (DVN) to override protocol rules.
- **Defense Evasion:** Use of Distributed Denial of Service (DDoS) against "healthy" (legitimate) RPC nodes to force the protocol to rely on "poisoned" nodes controlled by the attackers.
- **Credential Access:** Likely compromise of node access keys or administrative credentials.
- **Discovery:** Pre-attack reconnaissance of LayerZero’s cross-chain validation architecture.
- **Lateral Movement:** Validating fake messages from compromised nodes to the smart contract layer.
- **Collection:** Gathering rsETH across various chains.
- **Exfiltration:** Transfer of 116,500 rsETH to attacker-controlled wallets.
- **Impact:** Financial theft totaling ~$293 million USD.
## Impact Assessment
- **Financial:** Estimated loss of $293 million USD in rsETH.
- **Data Breach:** Compromised integrity of cross-chain message verification data.
- **Operational:** Emergency shutdown of rsETH contracts; suspension of rsETH as collateral in major DeFi lending markets (Aave, Euler, Compound).
- **Reputational:** Significant blow to KelpDAO and the perceived security of LayerZero’s DVN architecture.
## Indicators of Compromise
- **Network indicators:** High-volume traffic originating from DDoS botnets targeting legitimate RPC endpoints.
- **File indicators:** Not disclosed (likely infrastructure-level exploits).
- **Behavioral indicators:** Mismatch between on-chain reality and DVN-validated messages; heavy reliance on a subset of RPC nodes suddenly reporting anomalous data.
## Response Actions
- **Containment:** KelpDAO paused all rsETH smart contracts; Aave implemented a protocol-level freeze on rsETH assets.
- **Eradication:** Investigation launched in coordination with LayerZero, Unichain, and security partners to reclaim/identify compromised nodes.
- **Recovery:** Ongoing collaboration with cross-chain security providers to harden the DVN layer.
## Lessons Learned
- **Redundancy Vulnerabilities:** Reliance on RPC nodes can become a single point of failure if healthy nodes can be DDoS-ed into submission, forcing the system to fallback to malicious ones.
- **Attribution:** The sophistication points toward Lazarus (TraderTraitor), highlighting their continued focus on complex cross-chain bridges and restaking protocols.
- **Interconnectedness:** A breach in one DeFi primitive (KelpDAO) has immediate, cascading impacts on the liquidity of the broader ecosystem (Aave/Compound).
## Recommendations
- **Oracle/RPC Diversity:** Implement more robust, decentralized RPC node sets that cannot be easily silenced by DDoS.
- **Circuit Breakers:** Enhance automated monitoring to trigger contract pauses if cross-chain message volume exceeds historical norms.
- **Zero Trust Infrastructure:** Treat all RPC data as potentially "poisoned" and implement multi-signature or multi-path verification for high-value cross-chain transfers.