KelpDAO Loses $290 Million in Cross-Chain Exploit as Lazarus Group Indicators Emerge
Attackers have drained approximately $290 million from KelpDAO in one of the largest DeFi exploits of 2026, targeting the protocol's rsETH liquid restaking configuration through a sophisticated infrastructure-level attack that bypassed verification controls without compromising private keys or exploiting a direct protocol flaw.
The attack targeted the RPC infrastructure used by a Decentralized Verifier Network within the LayerZero ecosystem. Attackers compromised specific RPC nodes and used them to feed manipulated data into the verification process. Simultaneously, they applied distributed denial-of-service pressure against healthy nodes, forcing the system to fall back on the compromised endpoints. This allowed false transaction data to pass validation, enabling unauthorized asset movements at scale.
The exploit was made possible by KelpDAO's use of a single verifier configuration for rsETH, meaning there was no secondary validation layer to detect or reject the forged messages. Cross-chain security models typically rely on multiple independent verifiers to prevent exactly this scenario. Systems using diversified verification layers within the LayerZero ecosystem were not affected, reinforcing the critical importance of distributed trust in cross-chain architecture.
Early analysis points to a highly coordinated operation, with indicators suggesting involvement from the Lazarus Group — the North Korean state-backed hacking unit responsible for some of the largest cryptocurrency thefts in history, including the $1.5 billion Bybit hack in early 2025. The attack's sophistication — blending network disruption with data spoofing rather than targeting keys or smart contract logic directly — is consistent with the group's evolving tradecraft in the DeFi space.
The incident has drawn a public response from Tron founder Justin Sun, who addressed the attacker directly on social media proposing negotiations, arguing that allowing KelpDAO and connected DeFi platforms like Aave to collapse from the exploit serves no one's interests and that stolen funds at that scale are difficult to move or spend.
What Defenders Should Do:
DeFi protocols and cross-chain bridge operators should audit their verifier configurations and eliminate single-verifier setups wherever possible. Any system relying on a single entity to approve cross-chain transactions has a critical single point of failure. Implement multi-verifier architectures with independent validation layers. Monitor RPC infrastructure for signs of compromise or manipulation, and ensure fallback mechanisms cannot be forced onto attacker-controlled endpoints through DDoS pressure. The Lazarus Group indicators mean organizations in the crypto and DeFi space should maintain heightened vigilance — this group has demonstrated repeated capability to execute nine-figure thefts and is actively scaling operations across the ecosystem.
