$290M Kelp DAO Breach Tied to Lazarus Group and Weak Bridge Security

Key Takeaways

• Approximately $290–293 million was stolen from Kelp DAO following a sophisticated attack on RPC nodes connected to LayerZero’s verification system
• Kelp DAO allegedly disregarded LayerZero’s security recommendations to implement multiple verifiers, operating with only one verifier
• Preliminary evidence points to North Korea’s Lazarus Group as the perpetrators behind this security breach
• Nine DeFi platforms, most notably Aave, experienced cascading damage, with Aave’s total value locked declining by $6 billion
• Moving forward, LayerZero has declared it will refuse to support applications operating with single-verifier configurations

In what represents one of 2026’s most significant decentralized finance security breaches, Kelp DAO suffered losses totaling approximately $290–293 million during a weekend attack. LayerZero, the cross-chain messaging protocol utilized in the incident, has attributed the vulnerability to Kelp’s infrastructure decisions.

The breach focused on Kelp’s rsETH token transfer mechanism across different blockchain networks. Operating with a single-verifier architecture meant only one authority needed to validate cross-chain transfers. According to LayerZero, the company had explicitly cautioned Kelp about this configuration and urged adoption of multiple independent verification sources.

The hackers infiltrated two remote procedure call nodes—specialized servers enabling software to interact with blockchain data. These legitimate nodes were replaced with compromised versions that delivered fraudulent information to LayerZero’s verification system while maintaining normal appearances to other infrastructure components.

Since LayerZero’s verification process also consulted legitimate external nodes, the attackers launched a distributed denial-of-service campaign to disable those systems. This tactic redirected network traffic through the compromised infrastructure during a 80-minute window from 10:20 a.m. to 11:40 a.m. Pacific Time on Saturday.

When the failover mechanism activated, the malicious nodes transmitted confirmation of a legitimate transaction to the verifier. Kelp’s bridge protocol subsequently released 116,500 rsETH to the attackers’ wallets. The hostile software then eliminated itself, erasing all forensic evidence from the affected servers.

Cascading Impact Throughout DeFi Ecosystem

The stolen rsETH tokens were deployed as collateral across various lending platforms, enabling the attackers to withdraw genuine assets. Aave, the dominant decentralized lending platform, absorbed the most substantial damage.

Aave found itself holding illiquid rsETH collateral while valuable assets such as ETH had already been extracted through borrowing mechanisms. Aave’s native token plummeted approximately 15% within a 24-hour period, while the protocol experienced roughly $6 billion in withdrawals as participants scrambled to remove their funds.

No fewer than nine DeFi applications experienced damage, including Fluid, Compound Finance, SparkLend, and Euler. Cybersecurity firm Cyvers characterized the incident as a “cross-protocol contagion event” extending far beyond a single platform vulnerability.

With preliminary confidence, LayerZero has connected this attack to North Korea’s Lazarus Group, specifically its TraderTraitor division. This same organization was implicated in the $285 million Drift Protocol breach on April 1, indicating Lazarus has extracted over $575 million from decentralized finance within an 18-day period using two distinct attack methodologies.

Security Protocol Adjustments

LayerZero reports no evidence of vulnerability spreading to applications operating with multi-verifier architectures. The company has restored its verification service and announced a permanent policy refusing to process messages for any application utilizing single-verifier configurations.

Curve Finance founder Michael Egorov emphasized that this breach demonstrates the inherent risks of relying on solitary transaction verification sources. He additionally cautioned against utilizing cross-chain infrastructure unless operationally essential.

Kelp has remained silent regarding LayerZero’s version of events and has not addressed why the protocol continued operating with a single-verifier architecture despite receiving explicit security warnings.

The post $290M Kelp DAO Breach Tied to Lazarus Group and Weak Bridge Security appeared first on Blockonomi.