LayerZero Points to North Korean Hacker Group as Potential Mastermind Behind Kelp DAO's $292 Million Exploit

BroadChain has learned that at 20:30 on April 20, according to CryptoNews, the cross-chain interoperability protocol LayerZero released an incident investigation report, attributing the vulnerability attack suffered by Kelp DAO on April 18 to the North Korean hacker group Lazarus (specifically the TraderTraitor subgroup). The report pointed out that a single point of failure in the protocol validator setup was the technical root cause enabling this attack. According to DefiLlama data, this attack resulted in a loss of approximately $292 million from Kelp DAO's rsETH fund pool, making it the largest DeFi hack event so far in 2026 and causing the total value locked (TVL) across the entire DeFi sector to drop by 7% within 24 hours to $85 billion. LayerZero emphasized that this attribution is a probabilistic inference, not a final conclusion. Technical analysis revealed that the attacker polluted the RPC infrastructure of LayerZero's decentralized validator network (DVN) and launched a DDoS attack to force the system to switch to a compromised backup node, thereby validating fraudulent cross-chain transactions and stealing funds. The key risk point was that Kelp DAO adopted a 1-of-1 single DVN configuration, which contradicts LayerZero's repeated recommendations for multi-validator setups that align with industry best practices for redundancy. Following the incident, LayerZero has disabled the affected RPC nodes and fully restored DVN operations, with its protocol code and private keys remaining uncompromised. The organization is collaborating with global law enforcement agencies for fund tracking. This incident once again highlights the persistent threat posed by state-level hacker groups to the DeFi ecosystem. Lazarus has previously been implicated in multiple major cryptocurrency thefts, including the $625 million attack on Ronin Network in 2022.