KelpDAO suffers $290 million heist tied to Lazarus hackers

At a glance:

• KelpDAO lost roughly $290 million when about 116,500 rsETH tokens were stolen.
• The attack exploited LayerZero’s verification layer (DVN) and is attributed to North Korea’s Lazarus Group.
• Other DeFi protocols – Compound, Euler and Aave – were temporarily affected, with Aave freezing rsETH collateral.

What happened

On Saturday, the decentralized finance project KelpDAO announced a massive breach that resulted in the loss of roughly 116,500 rsETH tokens, valued at about $293 million USD. The tokens represent a liquid restaking position on Ethereum, allowing users to earn yield while keeping their assets usable across DeFi and even across chains via LayerZero. KelpDAO detected “suspicious cross‑chain activity” on April 18 and immediately paused all rsETH contracts on Ethereum mainnet and its L2 extensions.

The theft was not isolated to KelpDAO alone. The same cross‑chain vectors touched three major lending platforms – Compound, Euler and Aave – prompting Aave to freeze new deposits and borrowing that used rsETH as collateral. While the breach was confined to the rsETH token, the incident highlighted a systemic risk in how cross‑chain messages are verified.

How the attack worked

According to LayerZero, the perpetrators targeted the verification layer known as the DVN (Decentralized Verification Network). They compromised several RPC nodes that the DVN relies on for blockchain data, feeding the verifier falsified state information. At the same time, the attackers launched a distributed‑denial‑of‑service (DDoS) campaign against the remaining healthy RPC nodes, forcing the DVN to trust the poisoned nodes.

This manipulation allowed a fabricated cross‑chain message to be accepted as legitimate. The system consequently recorded transactions that never occurred on‑chain, enabling the unauthorized movement of rsETH tokens. After the fake messages were processed, the stolen tokens were funneled through Tornado Cash mixers to obscure their trail.

LayerZero’s preliminary forensic indicators point strongly toward the DPRK‑backed Lazarus Group, specifically a sub‑unit known as “TraderTraitor.” The attribution is based on attack signatures, infrastructure reuse, and patterns observed in previous Lazarus operations.

Response and investigation

KelpDAO immediately launched an investigation with the help of LayerZero, Unichain and other security partners. The team paused all rsETH contracts, issued public alerts, and began forensic tracing of the mixed funds. Aave’s swift freeze of rsETH‑backed activity prevented further exposure for its users, while Compound and Euler are reviewing their own cross‑chain integrations.

LayerZero released a detailed post‑mortem explaining the DVN compromise and outlined steps to harden RPC node selection, improve redundancy, and add additional validation layers. KelpDAO also pledged to reimburse affected users through its insurance fund, though the exact timeline for payouts remains under discussion.

Broader impact and previous attacks

The $290 million loss marks one of the largest DeFi heists of the year. It follows a similarly sized theft from the Drift Protocol, where Lazarus allegedly siphoned $280 million after a six‑month operation involving conference‑level social engineering and $1 million seed deposits.

Both incidents underscore a growing trend: state‑sponsored actors are increasingly targeting cross‑chain bridges and verification layers, which are often less scrutinized than core smart contracts. The attacks also revive concerns about mixers like Tornado Cash, which continue to be used to launder illicit crypto proceeds despite regulatory pressure.

Outlook and mitigation

The KelpDAO breach serves as a cautionary tale for the broader DeFi ecosystem. Projects that rely on third‑party cross‑chain messaging must reassess their trust assumptions, diversify RPC providers, and consider on‑chain verification redundancies. Industry observers expect tighter regulatory scrutiny of mixers and greater demand for formal verification of bridge code.

In the short term, users with rsETH exposure should monitor Aave’s freeze status and consider moving assets to alternative collateral types. Longer‑term, the incident may accelerate the adoption of more robust, decentralised verification frameworks and push developers toward zero‑trust designs for cross‑chain communication.