A $290 million exploit on the KelpDAO cross-bridge on April 18, attributed by LayerZero to North Korea’s Lazarus Group, sent shockwaves through DeFi and wiped out more than $13 billion of the total amount locked in all contracts within 48 hours.
Summary
- Attackers mined 116,500 rETH worth about $290 million from KelpDAO’s powerful LayerZero bridge on April 18 in the biggest DeFi exploit of 2026 so far.
- LayerZero attributed the attack to North Korea’s Lazarus Group, specifically its subsidiary TraderTraitor.
- The crash caused more than $13 billion in outflows from DeFi platforms including Aave, which halted rsETH markets in both its V3 and V4 deployments.
Attackers extracted 116,500 rsETH, worth about $290 million, on KelpDAO’s LayerZero-powered cross-chain bridge on April 18, in what CoinDesk called the biggest DeFi exploit of 2026 so far. LayerZero, whose infrastructure supported the bridge, said in a statement on Monday that “initial indications suggest that it has been taken by a high-level national actor, possibly the Lazarus Group of the DPRK.”
KelpDAO Hack Causes $13 Billion DeFi Crash
The attack worked by compromising two remote process nodes that the LayerZero authenticator relies on to verify cross-chain transactions, then flooding the backup nodes with junk traffic to force the failover to poisoned sites. Once the validator signed the transaction, the bridge issued $290 million in rsETH to an address controlled by the attacker. The malware then self-destructed, deleting binaries and logs to interfere with forensic investigations. As crypto.news reported, the exploit caused more than $10 billion in Aave exits alone, with the total amount of the loan agreement locked down from $45.8 billion to $35.7 billion as users tried to exit. UPI reported that more than $13 billion was wiped from the total amount locked across all DeFi platforms in the two days following the breach.
LayerZero and KelpDAO Trade Blame Over Security Configuration
A dispute arose over who was responsible for the vulnerability that made the attack possible. LayerZero said KelpDAO chose to use a 1-of-1 authenticator network configuration, a single point of failure it had repeatedly warned about, and announced that it would no longer sign messages for any application using that setup. KelpDAO backtracked, telling CoinDesk that its configuration followed LayerZero’s documented defaults and that the compromised validator was part of LayerZero’s infrastructure. As documented by crypto.news, independent security researchers including developer Yearn Finance found that LayerZero’s public-use code ships with automatic single-source authentication across major chains, undermining the company’s claim that KelpDAO has gone astray.
What Hack Means for DeFi Security and Institutional Trust
The KelpDAO exploit is the second major DeFi breach linked to Lazarus in April alone, following the $285 million Drift Protocol attack on April 1, bringing the DeFi group’s total for the month to over $575 million. The attacker has started to steal the stolen funds, moving goods through Arbitrum and Tron-based stablecoins, as crypto.news tracked. Jefferies warned that marquee hacks of this scale could temporarily slow Wall Street’s appetite for tokenization projects, as institutions reassess the security risks embedded in DeFi bridge infrastructure. LayerZero said it has ensured there are no conflicts with other applications that use multiple authentication settings, but it has forced a protocol-wide migration away from single authentication setups.
LayerZero said it is working with KelpDAO, the Security Alliance, and law enforcement agencies to recover the stolen funds, although the attacker’s use of encryption tools has complicated recovery efforts.
