What to Know
- $290 million in rsETH, about 116,500 tokens, was drained from KelpDAO’s LayerZero bridge on April 18
- More than $13 billion in total value locked left DeFi across the 48 hours that followed
- LayerZero attributes the breach to North Korea’s Lazarus Group, the same crew blamed for the $285 million Drift Protocol attack earlier in April
- Aave alone saw over $10 billion in outflows, with TVL crashing from $45.8 billion to $35.7 billion as users bolted
The KelpDAO hack on April 18 did not just lift $290 million in rsETH from a cross-chain bridge. It reopened every ugly argument DeFi has been trying to bury. LayerZero, whose infrastructure sat underneath the compromised bridge, is pointing at North Korea’s Lazarus Group. KelpDAO is pointing back at LayerZero. And somewhere in between, roughly $13 billion in total value locked has already walked out the door.
How the KelpDAO Hack Actually Worked
The attacker did not break cryptography. They broke plumbing. The KelpDAO hack hinged on two remote procedure call nodes that LayerZero’s verifier used to confirm cross-chain transactions. Compromise those, and the rest is paperwork.
Once the attackers controlled the endpoints, they flooded the backup nodes with junk traffic. The verifier, unable to reach its trusted sources, failed over to the poisoned ones. It then signed off on a fabricated transaction that released 116,500 rsETH, worth about $290 million at the time, to an address the attacker controlled.
The cleanup was almost elegant. The malware self-destructed after execution, wiping binaries and logs to slow down forensic work. By the time anyone at KelpDAO noticed the imbalance on the contract, the bridge was already empty and the breadcrumbs were ash.
Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group.
Who Is Lazarus Group and Why Does DeFi Keep Getting Hit?
Lazarus Group is North Korea’s state-backed hacking unit, and by 2026 it has become less a cybercrime crew and more a line item in Pyongyang’s budget. Blockchain investigators tracking the Lazarus Group have tied it to a steady run of DeFi thefts this year alone, and the pattern rarely changes.
Social engineering gets them inside. Infrastructure gaps let them leave with the vault.
This is the second nine-figure DeFi heist pinned to the group in April. The first one hit Drift Protocol on April 1 and cost users $285 million. Add KelpDAO, and Lazarus has cleared over $575 million in three weeks. That is not a hacking spree. That is a quarterly earnings report.
What makes the group dangerous is not the zero-days. It is the patience. Investigators have documented campaigns that stretch six months or longer, with fake recruiters, fake conference invites, and malware hidden inside job offers. By the time the bridge pops, the reconnaissance work is already months old.
The Finger-Pointing Between KelpDAO and LayerZero
Here is where the story gets uncomfortable. LayerZero says KelpDAO ran a 1-of-1 decentralized verifier network configuration, a setup LayerZero had warned against, repeatedly, as a single point of failure. It also announced it would stop signing messages for any app using that configuration. Fair enough, on paper.
KelpDAO hit back. The team told reporters its configuration followed LayerZero’s own documented defaults. Independent researchers, including a Yearn Finance developer who pulled apart LayerZero’s public deployment code, found that single-source verification was indeed the shipped default across every major chain. That is not a footnote. That is the core of the dispute.
So which is it: negligence by KelpDAO, or a dangerous default by LayerZero? Probably both, and that is the part the industry does not want to sit with. Builders who ship with the documented defaults and get drained get blamed. Infrastructure firms whose defaults are the vulnerability get to issue statements about other people’s configuration choices. You can see why no one wants to be the next team to integrate a bridge.
- LayerZero position: KelpDAO chose a 1-of-1 verifier setup against explicit warnings
- KelpDAO position: the setup matched LayerZero’s shipped defaults and used LayerZero’s own validator
- Independent researchers: public deployment code confirms single-source verification as the default across chains
- Result: a protocol-wide forced migration away from single-validator configurations
Why $13 Billion Left DeFi in Two Days
The direct loss was $290 million. The collateral damage was almost fifty times that. Within 48 hours of the exploit, more than $13 billion in total value locked had drained out of DeFi platforms. That is not a bridge problem. That is a trust problem.
Aave took the worst of it. The lending giant watched over $10 billion in outflows as users raced to pull liquidity before any further contagion. Aave’s TVL slid from $45.8 billion to $35.7 billion in the span of a weekend. The Aave rsETH incident report, published on April 20, laid out how the KelpDAO exploit forced Aave to freeze rsETH markets and trigger emergency liquidations across its lending pools.
The mechanics are worth understanding. rsETH is a restaking derivative. When the peg wobbles, everything collateralized against it wobbles too. Liquidators pile in, borrowers get flushed, and the price reflexively feeds on itself. A $290 million hack does not erase $13 billion directly. It removes the confidence that keeps borrowers from unwinding, and then they unwind themselves.
What Does This Mean for DeFi’s Next Chapter?
Short answer: the tokenization pitch just got harder. Jefferies has already warned that marquee hacks of this scale could temporarily slow Wall Street’s appetite for tokenization projects. When a sophisticated state actor can drain nine figures from a bridge that underpins multiple blue-chip protocols, it is difficult to walk into a bank boardroom and sell blockchain rails as the secure future of settlement.
The recovery picture is not encouraging either. The attacker has begun laundering the stolen funds, routing assets through Arbitrum and into Tron-based stablecoins. LayerZero said it is working with KelpDAO, the Security Alliance, and law enforcement agencies to trace the funds, but privacy tools have already complicated the chase. This is the part where the press releases go quiet.
There is one silver lining, depending on how generously you read it. LayerZero said it has confirmed zero contagion to other applications running multi-verifier configurations. The protocol-wide migration it forced after the breach should, in theory, harden every app still standing. The catch is that nobody can promise what the next default will miss.
Lazarus’s April: A Timeline of Two Heists
To understand how much ground Lazarus has covered this month, it helps to put the two attacks side by side. The Drift Protocol hack drained $285 million from the Solana-based perpetuals exchange on April 1. Investigators traced that one to a six-month social-engineering campaign targeting Drift’s engineering team. Different chain, different attack vector, same fingerprints.
Seventeen days later, KelpDAO’s bridge was empty. Two major protocols, over half a billion dollars combined, one crew. That pace matters because it tells you something about resourcing. Lazarus is not a cell operating on weekends. It is a funded operation running overlapping campaigns, and the public evidence trail suggests it has at least two more in flight right now.
Frequently Asked Questions
What is the KelpDAO hack?
The KelpDAO hack was an April 18, 2026 exploit of the protocol’s LayerZero-powered cross-chain bridge. Attackers compromised two remote procedure call nodes the verifier relied on, flooded backup nodes with junk traffic, and forced the system to sign a fake transaction that released 116,500 rsETH worth roughly $290 million to an attacker-controlled address.
Who is Lazarus Group?
Lazarus Group is a North Korean state-sponsored hacking collective tied to the Reconnaissance General Bureau. Blockchain investigators have linked it to billions in crypto thefts since 2017. In April 2026 alone, the group is blamed for both the $285 million Drift Protocol attack and the $290 million KelpDAO exploit, bringing its monthly DeFi haul above $575 million.
Why did the KelpDAO hack erase $13 billion from DeFi?
The direct $290 million loss spooked traders across the ecosystem. rsETH is a widely collateralized restaking derivative, so its peg risk rippled into lending protocols like Aave, which saw over $10 billion in outflows. Emergency liquidations, frozen markets, and panic withdrawals compounded the damage, erasing more than $13 billion in total value locked within 48 hours.
How is the stolen money being laundered?
The attacker has started moving funds through Arbitrum before swapping them into Tron-based stablecoins, a pattern typical of Lazarus Group operations. Privacy tools and rapid chain-hopping have already complicated recovery. LayerZero said it is cooperating with KelpDAO, the Security Alliance, and law enforcement to trace the stolen assets, though officials concede the odds of full recovery are low.
This article is for informational purposes only and does not constitute investment advice. Every investment and trading decision involves risk. Readers should conduct their own research before making any financial decisions.
rsETH depeg cascade is what actually caused the $13B print, not the $290M drain itself. curious if the LayerZero endpoint was the real entry point or just where it surfaced on chain
blaming Lazarus within 6 days feels rushed. where is the on chain attribution beyond the usual Tornado hop pattern everyone points to
restaking was always going to be the honeypot, called it back when EigenLayer TVL crossed 15B
$290M gone and somehow LayerZero walks away clean again
anyone have a link to the postmortem or is KelpDAO still sitting on it? want to see the actual exploit path before the narrative hardens