Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
LayerZero attributed the Kelp DAO hack to North Korea’s Lazarus Group, identifying a “single failure” in the authentication protocol as the source of the technology that made the attack possible.
The breach wiped $292 million from the Kelp DAO’s rETH pool on April 18, making it the largest cryptocurrency (DeFi) transaction of 2026 to date. The event caused the total value to be closed (TVL) across the DeFi sector to fall by 7% in 24 hours to $85 billion, according to DefiLlama data.
This accusation does not reach the end, but only states that it is possible. LayerZero also claimed that Lazarus was the originator, but this has not been confirmed. The question this article answers is what this difference means for the protocol, the users, and the type of cross-security.
Key requirements:
- Source of charges: LayerZero conducted an investigation after the incident and named the North Korean Lazarus group – specifically the TraderTraitor group – as the culprit.
- Technical reason: Kelp DAO adopted a 1-of-1 DVN (Decentralized Single Verifier Node) implementation, bypassing LayerZero’s redundant logic to have multiple validators.
- Input volume: About $292 million was poured into Kelp DAO’s rsETH pool; No LayerZero protocol or keys have been tampered with.
- Market impact: The closed value (TVL) in DeFi decreased by 7% in 24 hours to $86 billion after the event.
- Answer: LayerZero has closed the affected RPCs and restored DVN services; Cooperation is ongoing with law enforcement agencies to investigate the money.
- Correct: The market is waiting for Kelp DAO to announce a payment method, and whether other protocols that implement single DVNs will move to address their weaknesses before it happens.
LayerZero’s impact on Kelp DAO and Lazarus: What does a single node failure mean for cross-platform architecture?
The stealth method was multi-faceted and highly accurate. The attackers compromised the RPC infrastructure feeding LayerZero’s authentication network, then launched a denial-of-service (DDoS) attack that caused the system to move to a secure location.
When the verification network was deployed again, the system confirmed the fake transaction, and $292 million in rsETH came out of the Kelp DAO pool before the fraud was discovered.
The biggest contributor here was that Kelp DAO ran a 1-of-1 DVN setting, meaning that only one validating node stood between the protocol and catastrophic failure. LayerZero has advised that this infrastructure is insufficient – several times according to research – and has recommended several DVN arrangements in line with best practices of the industry to ensure that they lack functionality and security, but Kelp DAO has not responded to that.
Setting up multiple DVNs would have required the attackers to compromise multiple independent nodes simultaneously, a technically challenging effort. But the 1-on-1 format removes this barrier. As David Schwartz, Ripple’s chief technology officer, said on Platform
LayerZero’s answer was right there; The team shut down all affected RPC nodes after the incident and restored DVN functionality without infecting other protocols using the same devices. The LayerZero protocol code has not been compromised, and no private keys have been exposed. The failure was structural, not fundamental – a distinction that is crucial to the reliability of the protocol, but does nothing to recover the $292 million.
Why North Korea’s accusations are changing the threat model for the entire DeFi sector
The case of LayerZero against the Lazarus Group in the case of Kelp DAO, which seems more likely than certain, is related to the increasing number of attack methods.
The TraderTraitor sub-group, a well-known part of Lazarus, was initially identified in a forensic analysis. LayerZero is working with law enforcement authorities around the world to investigate the money, indicating that the case has sufficient evidence to be linked to investigations at the national level.
Lazarus has been associated with some of the biggest crypto thieves in history, including the $625 million Ronin network hack in 2022, and a series of DeFi protocol hacks that together transferred billions of dollars to North Korean software tools, according to estimates from the US Treasury and the United Nations.
North Korea uses crypto far more directly hacks; The plan also planted agents inside Web3 companies with fake credentials, a similar strategy that expands the attack beyond infrastructure itself.
Cross-chain protocols are obvious targets for these actors: they sit on precious spaces between multiple chains, often have more aggregated costs than any single transaction, and their security relies on authentication networks that can fail unless they are changed incorrectly. The RPC poisoning method against authentication networks represents a new development – one that security researchers say is now documented and flexible.
A note LayerZero blames Lazarus Group for $292 million Kelp DAO hack appeared for the first time Cryptonews Arabic.
