LayerZero attributed the Kelp DAO hack to North Korean group Lazarus, identifying a “single point of failure” in the protocol’s verification settings as the technical cause that made the attack possible.
The breach drained approximately $292 million from Kelp DAO’s rsETH pool on April 18, making it the largest hack in the decentralized finance (DeFi) industry in 2026 so far. The incident led to a 7% drop in total value locked (TVL) in the DeFi sector in 24 hours, reaching $85 billion, according to data from DefiLlama.
This accusation does not constitute a definitive conclusion, but rather a probabilistic statement. LayerZero reported that Lazarus was the likely culprit, but this has not been confirmed. The question this story answers is what this distinction means for the protocol, its users, and the cross-chain security model.
- Source of accusation: LayerZero conducted an investigation after the incident and named the North Korean group Lazarus – specifically the TraderTraitor subgroup – as the likely culprit.
- Technical cause: Kelp DAO adopted a 1-of-1 Decentralized Single Verifier Node (DVN) configuration, ignoring LayerZero’s repeated recommendations to have multiple validators.
- Penetration volume: Nearly $292 million drained from Kelp DAO’s rsETH pool; No LayerZero protocol codes or keys have been compromised.
- Market impact: The value locked (TVL) in DeFi fell 7% in 24 hours to $86 billion following the incident.
- Answer: LayerZero shut down the affected RPC nodes and fully restored DVN operations; Cooperation continues with law enforcement to recover the money.
- Follow up: The market is waiting for Kelp DAO to announce a compensation mechanism and for other protocols running unique DVN configurations to take steps to address their vulnerabilities before the next attack.
LayerZero results on Kelp DAO and Lazarus: what does a single point failure mean in a cross-chain architecture
The hacking mechanism was multi-step and very precise. The attackers poisoned the RPC infrastructure powering LayerZero’s decentralized verification network, then launched a denial of service (DDoS) attack designed to force the system to migrate to compromised backup nodes.
When the verification network was redirected, the system authenticated fake cross-chain transactions and $292 million in rsETH left the Kelp DAO pool before the fraud was detected.
The critical factor here was that Kelp DAO was running 1-of-1 DVN settings, meaning a single verification node stood between the protocol and catastrophic failure. LayerZero indicated that this architecture was inadequate – multiple times according to the investigation – and recommended multiple DVN configurations in accordance with industry best practices to ensure redundancy and security, but Kelp DAO did not respond to these recommendations.
A multi-DVN setup would have required attackers to compromise multiple independent verification nodes simultaneously, a much more difficult technical effort. But 1v1 mode completely removes this barrier. As Ripple CTO David Schwartz said on Platform
LayerZero’s answer was perfect; The team shut down all affected RPC nodes after the incident and fully restored DVN operations without infecting other protocols using the same infrastructure. The LayerZero protocol code was not compromised and no private keys were exposed. The failure is architectural, not fundamental – a distinction that matters a lot for the protocol’s credibility, but which does not recoup the $292 million.
Why North Korea’s accusation changes the threat model for the entire DeFi sector
LayerZero’s accusation against Lazarus Group in the Kelp DAO case, which is presented as probable rather than certain, is consistent with a consistent and accelerated pattern of attacks.
The TraderTraitor subgroup, a known operational unit of Lazarus, was initially identified during forensic analysis. LayerZero is actively cooperating with global law enforcement to trace the money, indicating that the prosecution has sufficient evidentiary strength to involve domestic investigative resources.
Lazarus has been linked to some of the largest cryptocurrency thefts on record, including the $625 million Ronin network hack in 2022 and a series of DeFi protocol hacks that collectively moved billions of dollars to North Korea’s weapons programs, according to U.S. Treasury and United Nations estimates.
North Korea’s crypto operations go beyond direct hacks; The system also planted agents within Web3 companies with false identities, a parallel path that extends the attack surface beyond just infrastructure.
Cross-chain protocols are structurally attractive targets for this type of actor: they are located at high-value intersections between multiple chains, often carry more liquidity combined than any single application, and their security relies on verification networks that can become single points of failure if misconfigured. RPC’s poisoning tactic against verification networks represents a new escalation – one that security researchers say is now documented and repeatable.
The post LayerZero accuses Lazarus Group of hacking Kelp DAO worth $292 million appeared first on Cryptonews Arabic.