State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday.
The attack reportedly also impacted the lending protocols Compound, Euler, and Aave, with the latter announcing a freeze and blocking new deposits or borrowing using rsETH as collateral.
KelpDAO is a decentralized finance (DeFi) project built around liquid restaking on the Ethereum network. It accepts user ETH deposits, restakes them, and returns a liquid token named ‘rsETH,’ that represents the restaked position.
The rsETH token is meant to help users keep earning restaking yield, while it stays usable across DeFi, including cross-chain via LayerZero, an inter-blockchain communication protocol and interoperability layer.
On April 18, KelpDAO announced that it detected “suspicious cross-chain activity” involving rsETH, forcing it to pause rsETH contracts across the Ethereum mainnet and L2s.
The project launched an investigation with the help of LayerZero, Unichain, and other partners.
.png)
Blockchain activity showed that around 116,500 rsETH were stolen, around $293 million in USD value, and went through Tornado Cash to hide the trace.
According to additional details that LayerZero shared today, the attack targeted the verification layer (DVN) used to validate cross-chain messages for rsETH.
Specifically, the attackers compromised some RPC nodes used by the verifier, feeding it falsified blockchain data, while simultaneously DDoS-ing healthy RPC nodes to force the system to rely on the “poisoned” ones.
This allowed a fake cross-chain message to be accepted as valid. The system confirmed transactions that never actually occurred on-chain and enabled moving the rsETH without authorization.
Based on preliminary evaluation of the attack indicators, LayerZero believes that the infamous Lazarus hackers are likely responsible for the heist.
“Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor,” stated LayerZero.
The protocol also noted that the incident was isolated to rsETH and that there’s no broader contagion across other apps or assets.
While the KelpDAO breach constitutes a major loss so far this year in terms of the stolen amount, the Lazarus Group has also been linked to another large theft, $280 million from the Drift Protocol.
According to a post-mortem report, that attack was the result of a six-month-long, carefully planned operation that involved malicious agents attending conferences and $1 million deposits into the project.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
