LayerZero Team Accused North Korea of Hacking KelpDAO

LayerZero Team Accused North Korea of Hacking KelpDAO

Behind the attack on the liquid restaking protocol KelpDAO, which saw attackers siphon off roughly $290 million-$292 million, is likely the North Korean hacking group Lazarus Group — specifically its TraderTraitor subunit, which is often linked to state-backed cyberattacks — according to a statement from LayerZero.

The incident, which occurred on April 18, 2026, has already triggered a chain reaction across the DeFi sector: mass withdrawals from Aave, a drop in the market’s total value locked, and renewed concerns about the security of crosschain infrastructure.

The company stressed that the hack was not tied to a vulnerability in the protocol itself, but to the configuration of KelpDAO rsETH, which used a 1-of-1 DVN model — a single verifier with no redundancy.

How the Hack Happened and Why Responsibility Is Partly Placed on KelpDAO

According to LayerZero, the attackers carried out a sophisticated attack on the RPC infrastructure used by the DVN node to validate transactions.

The hackers:

  • Compromised two RPC nodes
  • Replaced the binary files that ran the op-geth nodes
  • Carried out RPC request spoofing attacks
  • Simultaneously launched a DDoS attack on unaffected nodes
  • Forced the system to switch to “poisoned” backup RPCs

As a result, the DVN confirmed transactions that never actually happened.

LayerZero emphasized that the compromise did not spread to other assets.

At the same time, the crypto community sharply criticized KelpDAO for choosing a weak architecture without redundant verification. One user, under the handle hendricks, noted that the risk of the 1/1 DVN model had been raised as far back as 15 months ago on the Aave governance forum:

“This wasn’t bad luck — this was a conscious choice. Extremely suspicious.”

Criticism was also directed at LayerZero itself. User Bradly (CryptPlayer) noted:

“It looks like you shift all responsibility to KelpDAO, but actually you share it.”

A similar view was voiced by StarkWare CISO Haim Krasniker, who pointed out a contradiction in the failover mechanism:

“Once that DDoS happened, it should not default to Internal RPCs that are solely controlled by LZ.”

Domino Effect: Aave, Decline in TVL, and Pressure on ETH Liquidity

The most serious secondary hit landed on Aave. After the hack, the rsETH asset was urgently frozen on Aave V3 and V4. This was announced by protocol founder Stani Kulechov.

According to market estimates, the incident has already caused Aave’s TVL to drop to approximately $18 billion due to fears of bad debt.

Analyst Anndy Lian noted that the direct debt of $177 million accounts for just 0.65% of Aave’s total value locked (TVL), estimated at around $27.3 billion, but the biggest pressure is being felt by liquidity providers on Ethereum.

In his words:

“It is currently facing its most severe existential test since inception.”

Even so, experts are not yet talking about a systemic collapse, as other markets — USDC, GHO, WBTC — continue to operate normally.

Recall that the KelpDAO hack was only part of a broader cybersecurity crisis in the crypto industry. According to CertiK, in March 2026 alone, 46 attacks were recorded, the highest figure since November 2024.

In addition, the market has already endured:

  • The hack of Drift for about $280 million
  • An incident involving Stabble due to the possible involvement of a developer linked to North Korea
  • The hack of Hyperbridge, which triggered Polkadot (DOT) to drop to $1.15 after the illicit minting of 1 billion DOT

 

Source: https://incrypted.com/en/layerzero-team-accused-north-korea-of-hacking-kelpdao/

 

 

 

Anndy Lian is an early blockchain adopter and experienced serial entrepreneur who is known for his work in the government sector. He is a best selling book author- “NFT: From Zero to Hero” and “Blockchain Revolution 2030”.

Currently, he is appointed as the Chief Digital Advisor at Mongolia Productivity Organization, championing national digitization. Prior to his current appointments, he was the Chairman of BigONE Exchange, a global top 30 ranked crypto spot exchange and was also the Advisory Board Member for Hyundai DAC, the blockchain arm of South Korea’s largest car manufacturer Hyundai Motor Group. Lian played a pivotal role as the Blockchain Advisor for Asian Productivity Organisation (APO), an intergovernmental organization committed to improving productivity in the Asia-Pacific region.

An avid supporter of incubating start-ups, Anndy has also been a private investor for the past eight years. With a growth investment mindset, Anndy strategically demonstrates this in the companies he chooses to be involved with. He believes that what he is doing through blockchain technology currently will revolutionise and redefine traditional businesses. He also believes that the blockchain industry has to be “redecentralised”.