Chainalysis noted that on April 18, 2026, cybercriminals believed to be tied to North Korea’s Lazarus Group executed one of the largest DeFi heists of the year, siphoning approximately $292 million (116,500 rsETH) from KelpDAO’s LayerZero-powered bridge. Unlike typical smart-contract vulnerabilities, this breach targeted off-chain infrastructure, exposing critical weaknesses in cross-chain verification systems.
Chainalysis indicated that the incident underscores how even audited protocols remain vulnerable when single points of failure exist in supporting networks.
The attack centered on KelpDAO’s use of LayerZero’s bridging adapter for transferring rsETH across chains.
The setup relied on Decentralized Verifier Networks (DVNs) to confirm transactions from the source chain, Unichain.
In a risky configuration common for new deployments, KelpDAO employed a single verifier—the LayerZero Labs DVN—creating a 1-of-1 dependency. Attackers exploited this by compromising two internal RPC nodes operated by LayerZero.
They gained access to the DVN’s node list, injected malicious software on isolated clusters, and simultaneously launched a DDoS assault on an external RPC node.
This forced the system to rely exclusively on the tainted internal nodes.
The compromised nodes deliberately reported fabricated block data, falsely indicating that rsETH had been burned on Unichain. No such burn ever occurred.
With the forged message validated by the sole DVN, the Ethereum-side contract released the full 116,500 rsETH to attacker-controlled addresses.
Every on-chain step—message relay, signature verification, and fund transfer—appeared legitimate, evading conventional monitoring tools that scan only individual transactions.
KelpDAO’s team quickly identified the anomaly and activated emergency pauses across Ethereum and its Layer 2 deployments.
They blacklisted the attacker’s addresses and collaborated with security firm SEAL-911, successfully thwarting a follow-up attempt that could have drained an additional $95 million (40,000 rsETH).
On April 20, the Arbitrum Security Council, working with law enforcement, froze more than 30,766 ETH of the stolen proceeds on downstream addresses, preventing immediate laundering while preserving chain integrity for other users.
Chainalysis analysts emphasize that the exploit succeeded because bridges depend on an essential cross-chain invariant: assets released on the destination chain must precisely match those burned or locked on the source.
Here, the phantom release created unbacked rsETH, threatening liquidity pools and collateral systems that rely on the token. Traditional audits and transaction monitors missed the breach entirely, as the manipulation occurred entirely off-chain.
The event highlights urgent lessons for DeFi infrastructure. Single-verifier setups and over-reliance on any one party’s RPC infrastructure represent unacceptable risks in high-value bridges.
Industry professionals recommend multi-DVN configurations and real-time invariant monitoring tools capable of cross-referencing burns and releases across chains.
Such systems could trigger rapid pauses before funds are swapped or bridged further.
While the swift response limited total losses, the attack serves as a reminder and concerning wake-up call that proper governance, coordinated freezes, and advanced detection layers are now essential to safeguarding decentralized finance against state-sponsored threats. Chainalysis concluded that as investigations continue, the case may reveal additional tactics used by the TraderTraitor subgroup of the infamous Lazarus Group.
