North Korea-linked group drains $290 million from Kelp DAO in LayerZero exploit
AI-generated from multiple sources. Verify before acting on this reporting.
SEOUL — A cryptocurrency protocol affiliated with the decentralized finance sector lost $290 million in a sophisticated cyberattack executed by a North Korea-linked hacking group on Monday. The Lazarus Group, specifically its TraderTraitor subgroup, targeted Kelp DAO by exploiting vulnerabilities within the LayerZero infrastructure.
The attack occurred at 10:09:35 UTC on April 21, 2026. Security researchers identified the breach as an RPC-spoofing attack designed to poison the verification process of the LayerZero Decentralized Verifier Network. The exploit took advantage of a single-point-of-failure configuration within the network's architecture, allowing the attackers to drain funds from the Kelp DAO protocol.
Kelp DAO, a decentralized finance protocol, confirmed the loss of assets shortly after the incident was detected on the blockchain. The protocol relies on LayerZero for cross-chain communication and verification. The attackers manipulated the verification mechanism to authorize unauthorized transactions, effectively bypassing security controls.
The Lazarus Group is a state-sponsored hacking organization known for targeting financial institutions and cryptocurrency exchanges to fund North Korean government programs. The TraderTraitor subgroup has previously been linked to similar high-value heists. This incident marks one of the largest single-day losses in the history of decentralized finance.
LayerZero, the infrastructure provider, has not yet released a detailed statement regarding the specific technical failure. The company's Decentralized Verifier Network is designed to prevent such exploits through distributed consensus, but the attack suggests a configuration error allowed the breach to succeed.
Industry experts are investigating whether other protocols using LayerZero infrastructure are vulnerable to similar attacks. The decentralized nature of the blockchain means the stolen funds are likely being moved through multiple wallets to obscure their origin. Law enforcement agencies in multiple jurisdictions are expected to monitor the transaction trail.
The incident raises questions about the security of cross-chain communication protocols and the resilience of decentralized verifier networks. Kelp DAO has paused operations while the extent of the damage is assessed. Users are advised to monitor their accounts for unauthorized activity.
No arrests have been made in connection with the attack. The Lazarus Group operates from North Korea, making prosecution difficult. The international community continues to grapple with the challenge of holding state-sponsored cyber actors accountable for financial crimes committed on global networks.
Developments in the case are expected as investigators trace the movement of the stolen funds. The cryptocurrency community remains on high alert for further exploits targeting similar infrastructure.