North Korean Hackers Blamed for $290 Million Crypto Theft from Kelp DAO

A massive cryptocurrency heist over the weekend has shaken the decentralized finance (DeFi) world. Hackers made off with more than $290 million from Kelp DAO, a protocol designed to help users earn yields on idle crypto assets. By Monday, LayerZero—a project connected to the exploit—publicly accused North Korean hackers of orchestrating the attack. This theft now stands as the largest crypto theft of 2025, surpassing a $285 million breach at crypto exchange Drift in April.

How the Kelp DAO Hack Unfolded

According to a post on X (formerly Twitter), LayerZero revealed that the hackers targeted Kelp DAO through its bridge infrastructure. The LayerZero bridge enables different blockchains to communicate and transfer instructions seamlessly. However, the attackers exploited a critical flaw in Kelp’s security configuration.

Specifically, the protocol did not require multiple verifications before approving transactions. This oversight allowed the hackers to submit fraudulent transactions and drain the funds without raising immediate alarms. In essence, a single compromised step was enough to authorize the massive transfer.

North Korean Hackers: The Prime Suspects

LayerZero cited what it called “preliminary indicators” pointing to North Korea as the culprit. The company specifically named the TraderTraitor hacking group, which has a well-documented history of targeting crypto platforms. This group operates under the direction of Kim Jong Un’s regime and has become increasingly sophisticated in recent years.

Kelp DAO, however, did not accept the blame quietly. The protocol fired back, accusing LayerZero of negligence and suggesting that the bridge itself was the weak link. This finger-pointing highlights the growing tensions within the DeFi ecosystem when security breaches occur.

The Scale of North Korean Crypto Theft

The North Korean crypto theft problem is not new. Last year alone, hackers working for the regime stole more than $2 billion in digital assets. Since 2017, the cumulative total of stolen crypto attributed to North Korea has reached approximately $6 billion, according to industry analysts. These funds are believed to bankroll the country’s weapons programs and other state activities.

This latest heist underscores how North Korean hackers continue to refine their methods. They often exploit cross-chain bridges and DeFi protocols, which remain vulnerable due to their rapid development cycles and sometimes lax security standards.

Implications for DeFi Security

This incident serves as a stark reminder for the entire crypto industry. DeFi platforms must prioritize multi-signature verification and rigorous auditing of smart contracts. As security experts often note, even a single oversight can lead to catastrophic losses.

Moreover, the involvement of state-backed actors like TraderTraitor raises the stakes. These groups have virtually unlimited resources and patience, making them formidable adversaries for any protocol. Building on this, regulators are likely to intensify scrutiny of cross-chain bridges and decentralized exchanges.

What Kelp DAO and LayerZero Should Do Next

Both projects need to conduct transparent post-mortems and implement stronger safeguards. Kelp DAO should consider adopting threshold signatures and time-locked withdrawals. Meanwhile, LayerZero must ensure its bridge code is audited by multiple independent firms.

In addition, the broader community should push for shared threat intelligence. As best practices evolve, collaboration between protocols can help detect and prevent similar attacks in the future.

Ultimately, the $290 million heist is a wake-up call. The DeFi sector cannot afford to ignore the growing threat posed by North Korean hackers. Every protocol must treat security as a non-negotiable priority, not an afterthought.