North Korean Lazarus Group Behind $290 Million KelpDAO Crypto Heist
AI-generated from multiple sources. Verify before acting on this reporting.
SEOUL — The Lazarus Group, a state-sponsored hacking collective linked to North Korea, executed a $290 million cryptocurrency heist against KelpDAO on April 20, 2026, exploiting vulnerabilities in cross-chain verification nodes to steal rsETH tokens from the Ethereum network.
The attack occurred at 22:34 UTC, targeting KelpDAO’s liquid staking infrastructure. Security researchers identified the breach as a sophisticated operation involving the compromise of nodes responsible for verifying transactions across different blockchain networks. The stolen assets, primarily real-world staked Ethereum (rsETH), were moved through a series of transactions designed to obscure their origin before being consolidated into wallets associated with the Lazarus Group.
KelpDAO, a decentralized finance protocol, confirmed the loss of approximately $290 million in user funds. The protocol’s smart contracts were manipulated to authorize unauthorized transfers, bypassing standard security protocols. The breach highlights growing concerns over the security of cross-chain bridges, which have become frequent targets for cybercriminals seeking to exploit interoperability features between blockchains.
The Lazarus Group has been responsible for numerous high-profile cyberattacks since 2009, including the 2014 Sony Pictures hack and the 2017 Bangladesh Bank heist. North Korea has increasingly relied on cyber operations to generate revenue amid international sanctions. The group’s involvement in this attack marks one of the largest single-day cryptocurrency thefts in history, surpassing previous incidents involving similar state-sponsored actors.
Blockchain analytics firms tracked the movement of the stolen rsETH tokens across multiple wallets, noting attempts to launder the funds through decentralized exchanges and privacy-focused protocols. Despite these efforts, the digital trail remains traceable, offering potential avenues for recovery. However, the decentralized nature of the Ethereum network complicates efforts to freeze or reclaim the assets.
KelpDAO has initiated an emergency response, working with cybersecurity firms and law enforcement agencies to investigate the breach. The protocol has paused certain operations to prevent further exploitation while developers work to patch the vulnerabilities exploited in the attack. Users affected by the heist are advised to monitor their accounts for unauthorized activity and report any suspicious transactions.
The incident raises questions about the resilience of cross-chain infrastructure and the adequacy of current security measures in decentralized finance. Experts warn that as interoperability solutions expand, so too will the sophistication of attacks targeting these systems. The Lazarus Group’s ability to execute such a large-scale theft underscores the ongoing threat posed by state-sponsored cyber actors to the global financial ecosystem.
As of now, no arrests have been made, and the recovery of the stolen funds remains uncertain. The attack serves as a stark reminder of the risks inherent in the rapidly evolving cryptocurrency landscape, where billions of dollars in digital assets remain vulnerable to exploitation.