KelpDAO $290M Heist Exposes Cross-Chain Vulnerabilities

KelpDAO, a decentralized finance project built on Ethereum's liquid restaking protocol, suffered a devastating $290 million cryptocurrency heist on April 18, 2026, with preliminary evidence pointing to the notorious Lazarus Group as the perpetrators.

The attack specifically targeted rsETH, KelpDAO's liquid token that represents restaked positions and enables cross-chain functionality through LayerZero's interoperability layer. According to LayerZero's investigation, the hackers executed a sophisticated attack that compromised the verification layer (DVN) responsible for validating cross-chain messages for rsETH.

How the Attack Unfolded

The hackers employed a multi-pronged approach that demonstrated advanced technical capabilities:

• RPC Node Compromise: Attackers gained control of some RPC nodes used by the verifier, feeding it falsified blockchain data
• DDoS Disruption: Simultaneously launched DDoS attacks against healthy RPC nodes to force the system to rely on the compromised "poisoned" nodes
• Message Validation Bypass: This combination allowed fake cross-chain messages to be accepted as valid by the verification system
• Unauthorized Token Movement: The system confirmed transactions that never actually occurred on-chain, enabling the theft of approximately 116,500 rsETH

The stolen funds were immediately routed through Tornado Cash, a privacy protocol designed to obscure transaction trails, making recovery efforts significantly more challenging.

Broader Impact on DeFi Ecosystem

While the attack was isolated to rsETH, the incident had ripple effects across the decentralized finance landscape. Several major lending protocols were impacted:

• Aave: Announced a freeze and blocked new deposits or borrowing using rsETH as collateral
• Compound: Affected by the rsETH token compromise
• Euler: Also impacted by the security incident

KelpDAO responded quickly by pausing rsETH contracts across the Ethereum mainnet and Layer 2 solutions, working with partners including LayerZero, Unichain, and other ecosystem participants to investigate the breach.

Lazarus Group Attribution

LayerZero's preliminary analysis suggests attribution to the Lazarus Group, a state-sponsored hacking collective linked to North Korea. The protocol specifically mentioned "TraderTraitor," a known Lazarus subgroup, as likely responsible for the sophisticated attack.

This attribution aligns with the group's established pattern of targeting cryptocurrency platforms. Just weeks prior, Lazarus was linked to a $280 million theft from the Drift Protocol, which investigators revealed was the result of a six-month-long operation involving conference infiltration and strategic $1 million deposits.

Technical Vulnerabilities Exposed

The KelpDAO incident highlights critical vulnerabilities in cross-chain infrastructure:

1. Verification Layer Single Points of Failure: The attack exploited weaknesses in how cross-chain messages are validated
2. RPC Node Security: Compromising infrastructure nodes can bypass cryptographic security measures
3. DDoS as Attack Vector: Distributed denial-of-service attacks can be used to manipulate system behavior
4. Interoperability Risks: Cross-chain protocols introduce new attack surfaces beyond single-chain vulnerabilities

Industry Response and Prevention

Security experts emphasize that this attack demonstrates the evolving sophistication of state-sponsored cyber operations. The combination of technical compromise, network disruption, and social engineering tactics represents a new level of threat to DeFi protocols.

Best practices emerging from this incident include:

• Multi-layer Verification: Implementing redundant verification systems that don't rely on single points of failure
• Node Security Hardening: Enhanced monitoring and security for RPC nodes and other infrastructure components
• DDoS Resilience: Building systems that maintain functionality under network stress
• Cross-chain Security Audits: Specialized auditing for interoperability protocols and cross-chain bridges

The Growing North Korean Cyber Threat

The Lazarus Group's involvement in multiple high-profile crypto heists underscores North Korea's sophisticated cyber capabilities. The regime has increasingly turned to cryptocurrency theft to circumvent international sanctions and fund its operations.

Industry analysts note that these attacks are becoming more complex and better planned, with the Drift Protocol incident showing evidence of months of preparation, including physical infiltration of industry events and strategic financial positioning.

Recovery and Future Implications

While LayerZero stated that the incident was isolated to rsETH with no broader contagion across other applications or assets, the $290 million loss represents one of the largest DeFi hacks of 2026. The use of Tornado Cash for laundering complicates recovery efforts, though blockchain forensics may still trace some movement of funds.

The attack serves as a wake-up call for the DeFi industry about the risks of cross-chain interoperability and the need for more robust security measures. As protocols become increasingly interconnected, the attack surface expands, requiring new approaches to security that go beyond traditional smart contract auditing.

For users and protocols alike, the incident reinforces the importance of diversification, careful protocol selection, and understanding the technical risks inherent in emerging DeFi technologies. The sophistication of attacks like this suggests that the industry must evolve its security practices as quickly as the technology itself advances.