LayerZero Links $292M KelpDAO Bridge Hack to North Korea's Lazarus Group

North Korea's Lazarus Group likely stole $292 million from KelpDAO's rsETH bridge on April 18, 2026, according to LayerZero, making it the largest DeFi exploit of the year. The attack exploited a single-verifier configuration in KelpDAO's cross-chain bridge infrastructure, a setup that LayerZero claims it had previously warned the protocol against using.

The mechanics were precise and fast. Attackers forged a cross-chain message to drain funds from the rsETH bridge, then came within minutes of executing a second drain before being stopped. LayerZero attributed the attack specifically to TraderTraitor, a subgroup within Lazarus that U.S. authorities have previously linked to sophisticated cryptocurrency theft campaigns. At $292 million, the exploit surpasses the previous 2026 record of $285 million, cementing it as the year's most damaging DeFi security incident.

KelpDAO is a liquid restaking protocol backed by YZi Labs, the family office of Binance co-founder Changpeng Zhao. Liquid restaking protocols let users deposit assets like staked ETH and receive a liquid token, in this case rsETH, usable across DeFi while the underlying asset continues earning staking rewards. The protocol's cross-chain bridge, built on LayerZero's messaging infrastructure, is what attackers targeted. A single-verifier configuration means only one entity validates cross-chain messages, a design that reduces operational complexity but creates a single point of failure. LayerZero says it flagged this risk to KelpDAO before the attack occurred.

That claim is contested. LayerZero's attribution to Lazarus Group rests on what it describes as "preliminary indicators," not confirmed findings from law enforcement or independent blockchain forensics firms. KelpDAO may dispute the characterization that it ignored security warnings, and the choice of a single-verifier setup could reflect a deliberate trade-off between operational efficiency and security hardening rather than outright negligence. Blaming a state-sponsored actor also risks obscuring a simpler reality: the architectural flaw exploited here is not unique to North Korean hackers. Any sufficiently motivated and skilled attacker could have done the same.

The broader DeFi exposure is real but may be overstated in early reporting. Protocols including Aave hold positions tied to rsETH, raising questions about contagion risk. How deep that exposure runs depends on each protocol's specific collateral parameters and liquidation thresholds, details still being assessed in the hours after the exploit. Emergency governance measures were reportedly triggered across several platforms as a precaution.

This attack fits a well-documented pattern. Lazarus Group has been linked to the 2022 Ronin Bridge hack, which drained $625 million from Axie Infinity's sidechain, and the 2021 Poly Network exploit that temporarily removed $611 million from circulation. The Wormhole bridge hack in February 2022 cost $325 million and similarly stemmed from inadequate validation logic in cross-chain message handling. Each incident exposed the same fundamental tension: cross-chain bridges require trust assumptions, and those assumptions become targets. The KelpDAO hack marks a notable escalation in that attackers are now focusing on liquid restaking infrastructure, a sector that has grown rapidly since Ethereum's Shapella upgrade in April 2023 enabled withdrawals and made staking more composable.

The security implications extend beyond KelpDAO. Multi-verifier configurations, decentralized oracle networks, and time-locked withdrawals are all established mitigations for the class of vulnerability exploited here. That a protocol backed by a high-profile investor and built on a major messaging layer was still running single-verifier architecture in 2026 points to a persistent gap between what the industry knows about bridge security and what gets deployed in production. Speed to market, cost of infrastructure, and developer convenience continue to win out over defensive design in too many cases. Until that calculus changes, cross-chain bridges will remain the most reliably exploitable surface in DeFi.