--- title: "Kelp DAO Exploit Drains $292M, Lazarus Group Suspected" date: 2026-04-20 author: "Kathleen Kinder" featured_image: "https://coinlaw.io/wp-content/uploads/2026/04/kelp-dao-suffers-292m-usd-hack.jpg" categories: - name: "Cryptocurrency" url: "/crypto.md" tags: - name: "News" url: "/tag/news.md" --- # Kelp DAO Exploit Drains $292M, Lazarus Group Suspected Kelp DAO exploit drains $292 million in a cross-chain bridge attack, with investigators pointing to a likely link to North Korea’s Lazarus Group. ## Key Takeaways - $292 million worth of rsETH was drained from Kelp DAO’s LayerZero powered bridge. - Lazarus Group is identified as the likely attacker, according to LayerZero’s investigation. - The exploit exposed a critical single point failure in verifier setup. - Major DeFi platforms froze activity, while market fears triggered a drop in TVL and token prices. ## What Happened? An attacker exploited Kelp DAO’s cross-chain bridge infrastructure, draining **116,500 rsETH tokens** and triggering widespread disruption across [decentralized finance](https://coinlaw.io/decentralized-finance-market-statistics/). The protocol paused operations shortly after, preventing further losses, while investigations pointed to a sophisticated infrastructure level attack. > Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. > > We are working with [@LayerZero\_Core](https://twitter.com/LayerZero_Core?ref_src=twsrc%5Etfw), [@unichain](https://twitter.com/unichain?ref_src=twsrc%5Etfw), our auditors and top security experts on RCA. > > We will keep you… > > — Kelp (@KelpDAO) [April 18, 2026](https://twitter.com/KelpDAO/status/2045595819035046148?ref_src=twsrc%5Etfw) ## Exploit Origin and Attack Breakdown The attack occurred at **17:35 UTC on April 18**, when an attacker controlled wallet triggered a malicious transaction through **LayerZero’s messaging system**. This action convinced the system that a legitimate cross-chain request had been received, causing the protocol to release a massive amount of rsETH. Investigators later found that the attacker wallet had been funded through **Tornado Cash**, a tool commonly used to obscure transaction origins in crypto exploits. According to findings shared by LayerZero, the exploit was not due to compromised smart contracts or stolen private keys. Instead, the issue stemmed from **a flawed system configuration** within Kelp DAO’s infrastructure. ## Single Point Failure Enabled the Attack The root cause of the breach was a **1 of 1 decentralized verifier node setup**, meaning only one verification node was responsible for validating cross-chain messages. LayerZero had reportedly recommended a **multi-verifier setup** to improve redundancy and security. However, Kelp DAO continued operating with a single verifier, which significantly lowered the barrier for attackers. The exploit followed a multi step process: - **Attackers poisoned RPC infrastructure feeding the verifier network.** - **A DDoS attack forced failover to compromised backup systems.** - **The system validated fake cross-chain transactions, releasing funds.** This chain of events allowed attackers to extract nearly **18 percent of rsETH’s total circulating supply**. ## Cross Chain Impact and Liquidity Crisis Risk The drained funds were part of the reserve backing **wrapped rsETH tokens across more than 20 blockchain networks**, including major layer 2 ecosystems. This created immediate uncertainty about whether those tokens still held value, as the underlying collateral had been removed. Experts warn this could trigger: - **Panic redemptions across networks**. - **Pressure on [Ethereum](https://coinlaw.io/ethereum-statistics/) based liquidity pools**. - **Forced unwinding of restaking positions**. The exploit also caused a ripple effect across DeFi platforms: - **Aave froze rsETH markets on its latest versions**. - **SparkLend, Fluid, and Upshift also paused related markets**. - **Lido temporarily halted deposits into products with rsETH exposure**. - **Ethena paused its bridge operations as a precaution**. Meanwhile, **AAVE token price dropped around 10 percent**, reflecting concerns about potential bad debt exposure. ## Market Reaction and Wider DeFi Fallout The incident has been labeled the **[largest DeFi exploit of 2026 so far](https://coinlaw.io/crypto-exchange-hacks-and-security-statistics/)**, surpassing earlier high profile attacks in the sector. Following the breach: - **Total value locked across DeFi dropped by about 7 percent, falling to roughly $85 billion.** - **Market participants rushed to assess exposure across interconnected protocols.** The broader context adds to the concern. Recent weeks have already seen multiple exploits across DeFi platforms, making this event part of a troubling trend. ## Lazarus Group Suspected Involvement LayerZero’s investigation points to the **TraderTraitor subgroup of the Lazarus Group** as the likely perpetrator. While not confirmed, the attribution aligns with known patterns of highly sophisticated attacks linked to North Korea. The Lazarus Group has previously been connected to major crypto thefts, including high profile multi hundred million dollar hacks. Security experts note that **cross-chain protocols are especially attractive targets**, as they hold large pooled liquidity and rely heavily on verification infrastructure. LayerZero has confirmed: - **No protocol code was compromised.** - **No private keys were exposed.** - **The vulnerability was purely architectural.** The company has since **decommissioned affected infrastructure and restored operations**, while working with law enforcement to trace the stolen funds. ## CoinLaw’s Takeaway From my perspective, this incident highlights a hard truth about DeFi that many projects still underestimate. **Security is not just about smart contracts, it is about architecture.** In my experience, ignoring basic redundancy recommendations is one of the biggest risks in system design. I found it surprising that a protocol managing billions relied on a single verifier setup. This was not just a hack, it was a preventable failure. And now, the consequences are spreading across the entire ecosystem. If anything, this event will likely push **stricter security standards across cross-chain infrastructure**, because the cost of getting it wrong is now painfully clear. Definition of Smart Contract. Link to full glossary entry follows the description.**Smart Contract**A smart contract is a self-executing program stored on a blockchain that automatically enforces agreement terms when predefined conditions are met, without intermediaries. [Read more](https://coinlaw.io/glossary/smart-contract/) Definition of DeFi. Link to full glossary entry follows the description.**DeFi**Decentralized finance leverages blockchain protocols and [smart contracts](https://coinlaw.io/glossary/smart-contract/) to enable lending, trading, and borrowing without banks or traditional intermediaries. [Read more](https://coinlaw.io/glossary/defi/) Definition of Cross-Chain. Link to full glossary entry follows the description.**Cross-Chain**Cross-chain is the ability to move data or assets between separate blockchains via bridges, messaging protocols, or interoperability networks. [Read more](https://coinlaw.io/glossary/cross-chain/) Definition of Layer 2. Link to full glossary entry follows the description.**Layer 2**A Layer 2 is a secondary blockchain built on top of Ethereum that bundles transactions off-chain and posts compressed data back to the main chain, cutting fees and raising throughput. [Read more](https://coinlaw.io/glossary/layer-2/)