KelpDAO suffers $290 million heist tied to Lazarus hackers

Summary

North Korean state-sponsored hackers affiliated with the Lazarus Group, specifically the TraderTraitor subgroup, executed a $290 million theft from KelpDAO on April 18, 2026, by compromising RPC nodes used in cross-chain message validation and DDoS-ing healthy nodes to force reliance on poisoned data. The attack enabled unauthorized transfer of 116,500 rsETH tokens, which were laundered through Tornado Cash. The incident affected downstream protocols including Compound, Euler, and Aave, which froze rsETH collateral.

Full text

KelpDAO suffers $290 million heist tied to Lazarus hackers By Bill Toulas April 20, 2026 06:23 PM 0 State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday. The attack reportedly also impacted the lending protocols Compound, Euler, and Aave, with the latter announcing a freeze and blocking new deposits or borrowing using rsETH as collateral. KelpDAO is a decentralized finance (DeFi) project built around liquid restaking on the Ethereum network. It accepts user ETH deposits, restakes them, and returns a liquid token named ‘rsETH,’ that represents the restaked position. The rsETH token is meant to help users keep earning restaking yield, while it stays usable across DeFi, including cross-chain via LayerZero, an inter-blockchain communication protocol and interoperability layer. On April 18, KelpDAO announced that it detected “suspicious cross-chain activity” involving rsETH, forcing it to pause rsETH contracts across the Ethereum mainnet and L2s. The project launched an investigation with the help of LayerZero, Unichain, and other partners. Blockchain activity showed that around 116,500 rsETH were stolen, around $293 million in USD value, and went through Tornado Cash to hide the trace. According to additional details that LayerZero shared today, the attack targeted the verification layer (DVN) used to validate cross-chain messages for rsETH. Specifically, the attackers compromised some RPC nodes used by the verifier, feeding it falsified blockchain data, while simultaneously DDoS-ing healthy RPC nodes to force the system to rely on the “poisoned” ones. This allowed a fake cross-chain message to be accepted as valid. The system confirmed transactions that never actually occurred on-chain and enabled moving the rsETH without authorization. Based on preliminary evaluation of the attack indicators, LayerZero believes that the infamous Lazarus hackers are likely responsible for the heist. “Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor,” stated LayerZero. The protocol also noted that the incident was isolated to rsETH and that there’s no broader contagion across other apps or assets. While the KelpDAO breach constitutes a major loss so far this year in terms of the stolen amount, the Lazarus Group has also been linked to another large theft, $280 million from the Drift Protocol. According to a post-mortem report, that attack was the result of a six-month-long, carefully planned operation that involved malicious agents attending conferences and $1 million deposits into the project. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Grinex exchange blames "Western intelligence" for $13.7M crypto hackUS nationals behind DPRK IT worker 'laptop farm' sent to prisonFBI: Americans lost a record $21 billion to cybercrime last yearDrift $280M crypto theft linked to 6-month in-person operationDrift loses $280 million as North Korean hackers seize Security Council powers

Indicators of Compromise

• malware — Lazarus Group / TraderTraitor

Entities