Lazarus Linked to Kelp DAO LayerZero Bridge Exploit Draining $292 Million in rsETH

A cross-chain bridge tied to Kelp DAO was drained of 116,500 rsETH at 17:35 UTC over the weekend, triggering emergency freezes and follow-on attempts that were later reverted.

“The Protocol: Kelp DAO exploited for $292 million Also: DPRK hacking crypto, Aave contagion and Coinbase on quantum computing”

@coindesk

CoinDesk described the attack as an exploitation of a LayerZero-powered bridge, saying the drain was “worth roughly $292 million at current prices” and “representing about 18% of rsETH’s 630,000 token circulating supply tracked by CoinGecko.”

@coindesk

CoinDesk also reported that Kelp’s “emergency pauser multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC,” and that two follow-up attempts at 18:26 UTC and 18:28 UTC “both reverted,” each attempting another “40,000 rsETH drain worth roughly $100 million.”

The Block similarly tied the weekend loss to “116,500 rsETH tokens worth roughly $292 million,” and said preliminary findings from LayerZero suggested the attack was “likely linked to North Korean hacking group Lazarus.”

SecurityWeek framed the same mechanics as an instruction that drained “116,500 rsETH (restaked ether), worth roughly $292 million,” occurring at “17:35 UTC on Sunday.”

Galaxy’s report, written for clients and dated April 21, 2026, described the incident as “a ~$290 million hack” and said the attacker “exploited the single-verifier configuration” to unlock “116,500 rsETH from the Ethereum mainnet escrow.”

Across outlets, the same core sequence appears: a forged cross-chain message, a release from an Ethereum-side escrow, and a rapid attempt to halt further damage once the drain succeeded.

Multiple reports described the Kelp DAO exploit as a failure of cross-chain message verification rather than a direct break of encryption or keys.

CoinDesk said “At its core, the Kelp exploit did not involve breaking encryption or cracking keys,” adding that “attackers manipulated the data feeding into the system and forced it to rely on those compromised inputs.”

CoinDesk

Galaxy’s report provided a more detailed mechanism, saying Kelp DAO ran “a 1-of-1 configuration with LayerZero Labs as the sole verifier,” and that “At 17:35 UTC on Saturday, the attacker delivered a forged LayerZero packet claiming to originate from Unichain (Uniswap’s L2) to the rsETH OFT adapter.”

Galaxy also described how LayerZero’s verification depended on “Decentralized Verifier Networks (DVNs)” and that the escrow’s security “depends entirely on the integrity of the messages authorizing releases.”

SecurityWeek similarly said the attackers targeted LayerZero’s DVN verification, describing an “RPC-spoofing attack” in which “Their malicious node used a custom payload designed explicitly to forge a message to the DVN with minimal warnings.”

It further said the attackers “launched a distributed denial-of-service (DDoS) attack against the remaining RPCs, triggering a failover to the poisoned ones and allowing the hackers’ malicious instructions to pass as valid.”

The Block reported that LayerZero criticized Kelp DAO’s “use of a 1-of-1 decentralized verified network (DVN) configuration,” arguing it “introduced a single point of failure by lacking independent verification to detect a fraudulent cross-chain message.”

CoinDesk’s account aligned with that critique by describing the attacker as tricking LayerZero into believing “a valid instruction had arrived from another network,” which “triggered Kelp's bridge to release 116,500 rsETH to an attacker-controlled address.”

Taken together, the sources portray a verification pipeline that was manipulated so that the bridge released tokens that should not have been released.

After the bridge released rsETH, the stolen tokens were quickly used as collateral in lending markets, and Aave moved to contain the risk by freezing markets and halting new borrowing.

“Network News KELP DAO EXPLOIT: A cross-chain bridge holding nearly a fifth of a restaked ether token's circulating supply just got drained, and the fallout is moving through DeFi faster than Kelp DAO can pause contracts”

Cryptonews.net

CoinDesk reported that “Rather than selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum,” leaving Aave exposed to collateral whose backing “may be significantly impaired.”

CoinDesk also said “Within hours, the protocol froze rsETH markets across its deployments, set loan-to-value ratios to zero, and halted new borrowing against the asset.”

Galaxy’s report described the same immediate containment, stating “Aave froze rsETH, wrsETH, and WETH markets across all deployments,” and said “Aave’s estimated bad debt stands at $123.7 million under uniform socialization of losses or $230.1 million if losses are isolated to L2 rsETH.”

SecurityWeek added that the incident’s impact was broad, saying “In the fallout, decentralized non-custodial liquidity protocol Aave registered a nearly $8 billion drop in total value.”

The Block’s coverage connected the Arbitrum freeze to the broader Kelp loss, noting the “loss of 116,500 rsETH tokens worth roughly $292 million” and that LayerZero’s findings pointed to Lazarus.

Unchained Podcast described Aave’s later operational response, saying “Aave unfroze WETH reserves on its Ethereum Core V3 market on Tuesday,” while “reserves across Ethereum Prime, Arbitrum, Base, Mantle, and Linea remain frozen.”

The same Unchained excerpt also reported market stress, stating “Aave’s USDT borrow rates spiked from 3% to 14% as liquidity remained constrained.”

Across these accounts, the sources depict a chain reaction: a cross-chain verification failure releases rsETH, the attacker leverages it in Aave, and Aave responds with freezes and parameter changes while downstream liquidity remains constrained.

As the exploit’s fallout spread, Arbitrum’s Security Council froze ETH tied to the incident, and later reports described the exploiter moving funds through additional chains and swaps.

The Block reported that “The Arbitrum Security Council has frozen 30,766 ETH, worth about $71.1 million,” and said the frozen funds “will only be moved by further action through Arbitrum governance.”

CryptoRank

It quoted an Arbitrum statement saying, “The Security Council acted with input from law enforcement as to the exploiter's identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications.”

Galaxy’s report similarly said “On Monday evening, the Arbitrum Security Council took emergency action to freeze 30,766 ETH held on Arbitrum and transfer it to an intermediary frozen wallet,” and added that “Immediately following Arbitrum’s actions, the exploiter’s wallet began transferring funds to new wallets in an apparent attempt to launder them.”

Unchained Podcast described the laundering operation in more granular terms, saying “moving approximately 75,701 ETH worth roughly $175 million across three transactions into freshly created addresses on the Ethereum mainnet,” and attributing the movements to “blockchain analytics firm Arkham Intelligence.”

It also said “Blockchain investigator ZachXBT reported in a Telegram post that some of the stolen funds had already begun crossing chains,” including “three THORChain transactions totaling roughly $1.5 million and a separate $78,000 routed through the privacy protocol Umbra.”

CryptoRank reported that the attacker “laundered about $80 million” after moving “34,500 ETH (~$175M)” and said “Most of that ETH was then swapped into Bitcoin through THORChain,” pushing “THORChain 24-hour swap volume to $394M.”

The same CryptoRank excerpt added that “Arbitrum froze 30,766 ETH worth about $70.9 million tied to attacker-linked wallets,” reinforcing the link between governance intervention and subsequent fund movement.

Together, these sources depict a pattern in which governance freezes can slow immediate access while attackers continue to route and swap stolen assets across decentralized rails.

Attribution for the Kelp DAO exploit was linked to North Korea’s Lazarus Group, but outlets differed in how they described the specific subunit and the scale of losses.

“This report was originally sent directly to clients of Galaxy Trading and Galaxy Asset Management on April 21, 2026”

Galaxy

CoinDesk said the attack “suggests an evolution in how North Korea-linked hackers operate,” quoting Alexander Urbelis of ENS Labs: “This is not a series of incidents; it is a cadence,” and “You cannot patch your way out of a procurement schedule.”

Galaxy

CoinDesk also stated that “More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks,” and it framed the Kelp exploit as part of a broader pattern.

Galaxy’s report said the attacker was “preliminarily identified as North Korea's Lazarus Group” and attributed the mechanism to “the single-verifier configuration” chosen for Kelp’s “LayerZero omnichain fungible token (OFT) bridge.”

SecurityWeek named “TraderTraitor, a subgroup within the infamous North Korean APT Lazarus Group,” and said “LayerZero attributes the operation” to that subgroup while describing how LayerZero said the heist “could have been prevented had Kelp DAO implemented a multi-DVN setup.”

The Block reported that “Preliminary findings from LayerZero suggested that the attack was likely linked to North Korean hacking group Lazarus,” and it also reported Kelp DAO’s pushback, saying “Kelp DAO pushed back on the statement, saying that the 1-of-1 DVN setup was shipped as the default configuration at LayerZero.”

TradingView added a broader monthly framing, saying “North Korea tied to heists worth $578M in April after Kelp DAO exploit,” and it tied the April total to “the April Fools’ Day exploit on decentralized exchange Drift totaled $285 million.”

CoinDesk’s separate analysis of Aave’s aftermath said “More than $10 billion has left Aave since the $292 million Kelp DAO exploit,” and described a “$10 billion exodus from Aave” alongside “stablecoins such as USDC.”

PYMNTS described the reputational and systemic impact in terms of lending platform losses, saying the exploit “set off a chain reaction that erased nearly $9 billion from the largest DeFi lending platform.”

Across these accounts, the sources converge on a governance-and-security dilemma: emergency freezes and parameter changes can contain immediate damage, but the incident also triggered broader withdrawals, liquidity constraints, and ongoing attribution debates tied to DPRK-linked operations.