KelpDAO Hit by $290 Million Heist Linked to Lazarus Hackers

KELPDAO SUFFERS $290 MILLION HEIST TIED TO LAZARUS HACKERS

A major crypto-heist has been attributed to the Lazarus group, a state-sponsored actor associated with North Korea.
The total value stolen is reported around $290 million, involving the KelpDAO DeFi project and several lending protocols in the same market window.
The stolen assets center on rsETH, a liquid restaking token that represents a position staked on Ethereum and used across DeFi ecosystems.
Initial disclosures indicated the theft affected multiple platforms, with Aave freezing new deposits and borrowings using rsETH as collateral to limit exposure.

KelpDAO is a decentralized finance (DeFi) project built around liquid restaking on Ethereum. It accepts user ETH deposits, restakes them, and issues rsETH to represent the restaked position.
The rsETH token is designed to stay usable within DeFi, including cross-chain usage via LayerZero, an inter-blockchain communication protocol.
The goal of rsETH is to help users keep earning restaking yields while maintaining liquidity and interoperability across protocols.

April 18: KelpDAO disclosed the detection of suspicious cross-chain activity involving rsETH and paused rsETH contracts on Ethereum mainnet and associated Layer 2 networks.
The pause led to the suspension of rsETH transfers and related cross-chain messaging operations while an investigation began.
April 19–20: Investigations were conducted with partner involvement, including LayerZero and Unichain, to understand the source of the irregular activity and identify compromised components.
The investigation identified that approximately 116,500 rsETH were moved or exfiltrated, equating to around $293 million in USD value, with traces leading through Tornado Cash to conceal the movement.

The attackers targeted the verification layer (DVN) used to validate cross-chain messages for rsETH.
Compromised RPC nodes in the verification infrastructure fed falsified blockchain data to the system.
Simultaneously, a distributed denial-of-service (DDoS) attack overloaded healthy RPC nodes, pushing the system to rely on the poisoned ones.
The combination of falsified cross-chain messages and degraded verification allowed unauthorized transactions to be treated as valid, enabling the movement of rsETH without actual on-chain activity.
Inference from LayerZero’s assessment suggests that the Lazarus group, notably a subset referred to as TraderTraitor, is the most likely actor behind the operation.

Official statements emphasize that the breach appears isolated to rsETH and did not propagate to other apps or asset classes within the ecosystem.
The incident prompted a broader pause and containment measures to prevent further unauthorized movement of rsETH across Ethereum and its Layer 2s.
LayerZero and its partners worked to isolate the verification layer breach and prevent future exploitation of the DVN mechanism.

LayerZero’s preliminary attribution points to the Lazarus group, described as a highly capable state-backed actor.
The same Lazarus group has been tied to another large incident, including a $280 million theft from Drift Protocol, which reportedly involved a six-month-long operational footprint and in-person activities during the attack campaign.
The Drift incident was characterized by strategic, multi-stage operations that included conference-based infiltration and substantial initial deposits into the target project.

While the rsETH-specific attack caused substantial losses, there is an emphasis that broader contagion across other assets or protocols appears limited so far.
The incident underscores cross-chain verification as a potential vulnerability vector and highlights the importance of robust RPC and DVN security practices in cross-chain messaging systems.

The attack illustrates how attackers can manipulate cross-chain verification mechanisms by corrupting data sources while overwhelming legitimate services.
It also demonstrates the role of privacy-preserving or obfuscation tools (like Tornado Cash) in masking on-chain traces, complicating attribution and forensic analyses.
The ongoing investigation involves collaboration between KelpDAO, LayerZero, Unichain, and other security partners to close the identified gaps and reinforce cross-chain resilience.

The Lazarus group has been implicated in multiple high-profile cryptocurrency thefts, with Drift Protocol serving as a notable example of a recent asset heist linked to the same threat actor.
These incidents collectively illustrate a pattern of sophisticated, multi-stage operations aimed at exploiting cross-chain interoperability mechanisms and verification layers.

rsETH: A liquid restaking token representing an Ethereum restaked position, designed to remain usable across DeFi applications and cross-chain platforms.
DVN: A verification layer used to validate cross-chain messages; a focal point of the attack in this incident.
LayerZero: An inter-blockchain communication protocol that enables cross-chain message passing and interoperability between diverse blockchain environments.
Tornado Cash: A privacy tool used to obfuscate transaction traces on-chain, frequently cited in investigations involving large crypto-thefts.
TraderTraitor: A moniker used by some researchers to reference a Lazarus Group subgroup implicated in sophisticated cross-chain exploits.

The KelpDAO event represents a significant loss within the current year’s crypto-theft landscape, driven by a highly sophisticated, state-backed threat actor.
Investigations are ongoing, with emphasis on securing cross-chain verification layers and preventing recurrence of similar exploits across rsETH and related systems.
Containment measures remain in place to restrict further unauthorized rsETH movements, and security partners continue to analyze the broader implications for DeFi interoperability.