Lazarus Hackers Exploit KelpDAO, Drain 116,500 rsETH and Trigger DeFi Crisis

A cross-chain exploit hit the liquid restaking protocol KelpDAO on April 18, 2026, draining 116,500 rsETH and triggering a broader DeFi crisis across multiple lending markets.

AMBCrypto said the attack caused $294 million in losses “in minutes,” and it described the attacker minting “116,500 RSETH” and selling it as collateral to borrow “106,467 ETH.”

@coindesk

DL News put the drained amount at “$293.7 million in rsETH,” describing it as leaving Ethereum-based Kelp DAO after security experts flagged “nearly $300 million” leaving the protocol.

CoinCentral similarly described “116,500 rsETH tokens — worth around $293 million” being stolen and then used as collateral on Aave.

CoinDesk framed the incident as a “$290 million Kelp DAO exploit,” while KuCoin described the theft as “$292 million” and tied it to “116,500 rsETH worth approximately $292 million.”

LayerZero’s own account of the event, as reported by CoinDesk, said the attackers compromised two RPC nodes the verifier relied on and that the attack worked only because Kelp “had ignored multi-verifier recommendations.”

In the immediate aftermath, KelpDAO paused rsETH operations, with AMBCrypto saying Kelp was able to “pause the protocol within 46 minutes,” while DL News reported Kelp DAO wrote on X that it had “paused rsETH contracts while it investigated.”

Multiple reports tied the KelpDAO theft to LayerZero bridge verification and to a configuration that left the protocol vulnerable to infrastructure-layer manipulation.

AMBCrypto said “LayerZero—a cross-chain messaging layer—acted as a bridge,” and it described the wrongdoer receiving “116,500 rsETH from Kelp’s bridge” after being able to “Delud[e] LayerZero with valid instructions.”

@coindesk

CoinDesk provided the most detailed technical account, saying LayerZero blamed Kelp’s “decision to use a single-verifier configuration” despite prior warnings to adopt a “multi-verifier setup.”

CoinDesk said attackers “compromised two of the remote procedure call (RPC) nodes that LayerZero's verifier relied on to confirm cross-chain transactions,” and it described a DDoS used “to force failover to the poisoned ones.”

In that account, the compromised nodes told the verifier a “valid cross-chain message had arrived,” and “Kelp's bridge released 116,500 rsETH to the attackers.”

CoinDesk also said the attack only worked because Kelp ran a “1-of-1 verifier configuration,” and it quoted LayerZero writing: “KelpDAO chose to utilize a 1/1 DVN configuration.”

The same report said LayerZero’s integration checklist and direct communications to Kelp had recommended multi-verifier redundancy, and it quoted LayerZero: “A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.”

KuCoin’s account similarly emphasized the “1-of-1 DVN (single signer verification)” as “a single point of failure,” and it described the attacker as manipulating “the message verification system that tells one chain the token exists on another.”

Observatorio Blockchain added that the attacker exploited “a faulty security configuration in the bridge (specifically a 1-of-1 verifier),” enabling the creation and extraction of “unbacked rsETH.”

The exploit’s impact spread from KelpDAO into major lending protocols, with Aave freezing markets and users withdrawing funds as the stolen rsETH was treated as collateral.

“The $13 billion DeFi wipeout in two days, and it started with KelpDAO attack Multiple lending and yield protocols are posting double-digit percentage declines in TVL, though token prices are seeing a limited decline”

@coindesk

DL News reported that Aave “froze rsETH markets on its peer-to-peer lending protocols Aave v3 and Aave v4,” and it quoted Aave’s official account: “Aave’s contracts have not been exploited and this is an exploit related to rsETH.”

CoinDesk said LayerZero’s framing was that it had found “no contagion to other applications,” while CoinCentral and KuCoin described the downstream damage in terms of bad debt and liquidity stress.

CoinCentral said the stolen rsETH had “no legitimate backing,” and that borrowing left Aave with “roughly $195 million in bad debt,” while KuCoin described “an estimated $177 million in bad debt” sitting on Aave’s books.

KuCoin also said the attacker borrowed “approximately 126,000 WETH,” and it described Aave governance actions including pausing “all new rsETH deposits across V3 markets” and activating “the Aave Guardian emergency powers.”

@coindesk said TVL fell from “$99.497 billion to $86.286 billion,” and it said Aave’s TVL declined by “$8.45 billion to $17.947 billion.”

CoinCentral added that Aave’s USDT and USDC pools on version 3 were at “100% utilization,” stating that “more than $5.1 billion in stablecoins are currently locked.”

Observatorio Blockchain reported that “more than $5.4 billion were withdrawn from Aave due to user panic,” and it said the ETH utilization rate “reached 100% at times.”

It also named a notable withdrawal: “Justin Sun, founder of Tron,” who withdrew “65,584 ETH, about $154 million.”

AMBCrypto described a liquidity crisis that led protocols to freeze platforms, and it said “The Aave team froze Aave V3 and Aave V4,” while also reporting that “Aave’s tokenAAVEsaw a drop of over 20% in the past 24 hours as it was trading at $92.06.”

The incident drew immediate statements and named actors across the ecosystem, from KelpDAO and Aave to security researchers and LayerZero.

DL News said the first alert came when blockchain sleuth ZachXBT flagged the issue via his Telegram channel, and it reported that Kelp DAO wrote on X that it had “identified suspicious cross-chain activity involving rsETH” and “paused rsETH contracts while it investigated the situation with security experts.”

AMBCrypto

DL News also quoted Aave’s founder & CEO Stani Kulechov on X, saying “the asset does not have any borrowing power” and that “Aave v3 and v4 have no exposure to rsETH,” while it described the freeze as “to help Kelp DAO investigate.”

CoinDesk reported that LayerZero said it had “confirmed zero contagion to any other application on the protocol,” and it quoted LayerZero’s decision: “will no longer sign messages for any project using a 1-of-1 verifier configuration.”

AMBCrypto said LayerZero’s team came forward to inform victims that they have been “active remediation with the KelpDAO team.”

On the attribution side, CoinDesk said LayerZero preliminarily linked the attackers to “North Korea's Lazarus Group” and its “TraderTraitor subunit,” and it added that Lazarus Group had been linked to the Drift Protocol exploit on April 1 and now Kelp on April 18.

DL News said Cyvers confirmed the hack and stated “the attacker received funding from coin-mixer Tornado Cash to pay gas fees.”

CoinCentral and Observatorio Blockchain both described the attacker’s use of stolen rsETH as collateral on Aave V3 and V4, with Observatorio adding that the Aave team issued a public statement confirming “the rsETH markets on Aave V3 and Aave V4 were frozen.”

The reporting also included a named market actor: Observatorio Blockchain said Justin Sun withdrew “65,584 ETH, about $154 million,” and it described the resulting token move as “The AAVE token fell by more than 18% in the last 24 hours.”

Across outlets, the same KelpDAO incident was framed through different lenses: immediate theft and token market moves, technical blame allocation, or systemic DeFi risk.

AMBCrypto called it “the biggest DeFi hack of 2026,” described ZRO falling “by over 22%” and said “Lido Finance was no exception as they followed the same approach,” while also listing other incidents including “Rhea Finance” with an “$18.4 million exploit” and “Drift Protocol” with a “$285 million drain.”

Analytics Insight

DL News emphasized the exploit mechanics and response, saying Cyvers confirmed funds were swapped back to “Ethereum and Arbitrum,” and it reported the attacker received funding from “coin-mixer Tornado Cash to pay gas fees.”

@coindesk framed the event as a “$13 billion DeFi wipeout in two days,” tying it to “a $292 million exploit of Kelp’s bridge” and describing how stolen rsETH “left rsETH unbacked,” prompting “lending protocols to freeze affected markets” and “panicked users withdrew funds.”

CoinCentral similarly emphasized the scale, saying the hack “triggered one of the largest DeFi capital exits” and that TVL dropped “from $99.497B to $86.286B,” while it also named “MEXC exchange and Abraxas Capital” as “two of the biggest exits.”

CoinDesk’s technical framing focused on LayerZero’s blame and configuration changes, stating that the incident “stemmed from Kelp's security choices rather than a protocol-level bug” and that it would force “a protocol-wide migration off single-verifier setups.”

The KuCoin account added a governance-and-recovery framing, describing Aave governance exploring “recovery options through the Umbrella protocol and the Aave treasury,” while also stating that “no clear solution has emerged as of this writing.”

Observatorio Blockchain described a domino effect and said “we are reviewing information about rsETH loans on Aave that occurred after the exploit,” adding that if the protocol accrues bad debt “we will explore ways to compensate the shortfall.”

Looking forward, the reports converge on the idea that cross-chain verification and composability remain central: CoinDesk said LayerZero will not sign 1-of-1 configurations, while @coindesk said the episode underscores “systemic risks in cross-chain bridge verification and DeFi’s tight interconnections.”