North Korean Hackers Blamed for $290 Million KelpDAO Crypto Heist: A Sophisticated Raid

The largest cryptocurrency theft of the year so far has been linked to state-backed North Korean hackers, with the decentralized finance protocol KelpDAO losing approximately $290 million in rsETH tokens over the weekend. The KelpDAO crypto heist has sent shockwaves through the DeFi community, highlighting the growing sophistication of threat actors targeting cross-chain infrastructure.

How the KelpDAO Crypto Heist Unfolded

KelpDAO operates as a liquid restaking protocol, accepting Liquid Staking Tokens (LSTs) such as stETH, ETHx, and sfrxETH, and issuing rsETH in return. On Saturday, the firm detected suspicious cross-chain activity involving rsETH, prompting an immediate pause of operations.

According to the company, attackers stole 116,500 rsETH—worth around $293 million—and funneled the funds through Tornado Cash to obscure the trail. The breach exploited the LayerZero infrastructure that KelpDAO relies on for cross-chain communication.

LayerZero uses Decentralized Verifier Networks (DVNs), independent entities that verify the integrity of cross-chain messages. On April 18, the notorious North Korean Lazarus Group targeted LayerZero Labs’ DVN by poisoning downstream RPC infrastructure. The attackers gained access to the list of RPCs used by the DVN, compromised two independent nodes, and swapped out binaries running op-geth nodes.

“Because of our least-privilege principles, they were unable to compromise the actual DVN instances. However, they used this pivot point to execute an RPC-spoofing attack,” LayerZero explained. The hackers then launched a DDoS attack against non-compromised RPCs, triggering a failover to the poisoned ones. This allowed them to send a forged cross-chain message that was accepted as valid, enabling the unauthorized transfer of rsETH.

LayerZero Blames KelpDAO for Configuration Flaws

In a striking twist, LayerZero has pushed back against KelpDAO’s initial blame, arguing that the protocol’s single-DVN configuration was the root cause. “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message,” LayerZero stated. It noted that best practices around DVN diversification had been communicated to KelpDAO, but the firm chose a 1/1 DVN setup.

“A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised,” the company added.

Fortunately, around a quarter of the stolen funds—approximately 30,766 ETH ($71 million)—have been frozen by Arbitrum‘s Security Council, providing a small silver lining in an otherwise devastating incident.

Lazarus Group’s Growing Sophistication

Security experts warn that the Lazarus Group is demonstrating increasingly advanced operational capabilities. “These environments are not being tested by smash and grab actors, they are being pressured by disciplined adversaries who understand how to chain together weak points across infrastructure, applications, and trust relationships,” said Pete Luban, CISO at AttackIQ. “Groups like Lazarus are not just walking away richer, they are walking away better, with more resources to scale tooling, refine techniques, and reinvest in future campaigns.”

Nick Tausek, lead security automation architect at Swimlane, echoed this sentiment, noting the attack followed a familiar North Korean pattern of “patient intrusion, manipulation of trust, and detection suppression.” He added: “By compromising infrastructure tied to LayerZero’s verifier role, they’ve stepped into a trusted position in the transaction flow and abused that trust to push forged messages downstream. That’s what makes third-party breaches so dangerous in crypto: the blast radius rarely stops with the initial victim.”

Lessons for DeFi Security

This incident underscores the critical importance of robust cross-chain security configurations. For DeFi protocols, relying on a single verifier is clearly a high-risk strategy. As the KelpDAO crypto heist shows, even well-funded projects can fall victim to sophisticated adversaries when best practices are ignored.

Moving forward, protocols should adopt multi-DVN setups, regularly audit their infrastructure, and stay informed about emerging threats. For more insights on protecting DeFi assets, check out our guide on DeFi security best practices and learn how to secure cross-chain transactions.

The Lazarus Group’s ability to chain together multiple vulnerabilities—from RPC poisoning to DDoS attacks—highlights the need for a defense-in-depth approach. As the crypto industry matures, so too must its security posture.