North Korea’s Lazarus Group has been identified as the likely perpetrator behind the $292 million theft from Kelp DAO, a decentralized finance protocol, marking the largest DeFi exploit of 2026. The April 18 attack targeted the platform’s cross-chain bridge infrastructure, draining 116,500 rsETH tokens before spreading contagion across major lending protocols and triggering over $15 billion in investor withdrawals .

LayerZero, the cross-chain messaging firm whose infrastructure Kelp DAO relied upon, conducted the post-incident investigation and attributed the attack to Lazarus Group’s TraderTraitor subgroup . The exploit did not target smart contract code but instead compromised the verification system itself. Attackers poisoned two RPC nodes used by Kelp’s verifier network, then launched a distributed denial-of-service attack against clean nodes, forcing the system to accept forged cross-chain messages .

A Single Point of Failure

The root cause, according to LayerZero, was Kelp DAO’s “1-of-1” decentralized verifier network configuration, a single node setup with no backup verification system . The company said it had previously communicated best practices around verifier diversification to Kelp DAO and will no longer sign messages for applications using single-verifier setups .

“Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message,” LayerZero stated in its incident report . Security experts note that a multi-verifier setup would have required attackers to compromise several independent nodes simultaneously, a substantially harder technical lift .

The stolen rsETH was moved to Aave V3 and used as collateral to borrow approximately $196 million in wrapped ETH, creating immediate bad debt concerns . Aave froze rsETH markets across its V3 and V4 deployments, while total value locked on the platform fell by $6 billion to $10 billion within hours . The broader DeFi sector saw total value locked drop 7% to approximately $86 billion, down from $99.5 billion before the attack .

Several protocols including Ethena, Curve Finance, and Tron DAO paused LayerZero OFT bridges as a precaution . The AAVE token fell between 10% and 16% during the disruption .

A Growing Pattern of State-Sponsored Attacks

The Kelp DAO exploit follows the April 1 theft of $285 million from Drift Protocol on Solana, also attributed to North Korean hackers . Together, these two attacks have drained over $577 million from DeFi protocols in less than three weeks . According to Chainalysis, North Korean hackers stole more than $3.4 billion in crypto in 2025, and 2026 losses have already surpassed $771 million .

Security researchers warn that Lazarus operatives may be embedded in over 40 DeFi projects using long-term social engineering tactics, including fake identities and sustained relationship-building . The group has stolen an estimated $6 billion to $7 billion in crypto since 2017, with funds funneled to North Korea’s weapons programs according to U.S. Treasury and UN assessments.

LayerZero is accelerating the migration of single-verifier applications to multi-verifier setups and has paused signing for all 1-of-1 configurations . Law enforcement collaboration is ongoing for fund tracing, though based on previous Lazarus attacks, recovery is expected to be minimal. The industry now faces mounting pressure to implement standardized multi-verifier requirements, but DeFi’s decentralized structure makes unified security mandates difficult to enforce.