Inside the KelpDAO Bridge Attack: How a Single Verification Node Unlocked $292 Million for Lazarus Group

The crypto security landscape shifted dramatically in April 2026 when North Korea’s Lazarus Group executed one of the most sophisticated infrastructure attacks in DeFi history. The target was not a smart contract vulnerability, nor a flash loan exploit — it was the off-chain verification layer underpinning KelpDAO’s cross-chain bridge. The result: approximately $292 million in rsETH drained through what on-chain analysis later confirmed looked like perfectly legitimate transactions.

The Exploit Mechanics

On April 18, 2026, attackers drained 116,500 rsETH from KelpDAO’s LayerZero bridging adapter by forging a cross-chain message. According to Chainalysis, the attack targeted the RPC nodes that the LayerZero Labs Decentralized Verifier Network (DVN) used to read source-chain state. KelpDAO’s bridge was configured with a single verifier — the LayerZero Labs DVN — meaning no independent party existed to catch a false signal.

The attackers executed a two-pronged assault on the verification infrastructure. First, they compromised two internal RPC nodes hosted by LayerZero Labs itself. Simultaneously, they launched a distributed denial-of-service attack against external RPC nodes operated by third parties. With both pathways feeding corrupted data, the DVN verified a phantom token “burn” on the source chain that never actually occurred. The Ethereum contract, seeing a valid verification, released 116,500 rsETH to the attacker’s address.

Every on-chain transaction appeared completely valid. Messages were relayed, signatures were verified, and the funds moved through the bridge contract without triggering a single alert from traditional monitoring tools. The exploit was invisible to standard smart contract auditors because no contract was broken — the infrastructure observing the contracts was compromised instead.

Affected Systems

The blast radius extended far beyond KelpDAO itself. Aave, the largest DeFi lending platform, saw its total deposits collapse from $45.8 billion to $28.6 billion as the rsETH depeg triggered cascading liquidations. Ethereum’s validator exit queue surged 72,000% to 433,158 ETH, with a seven-day wait time for withdrawals. Total DeFi TVL dropped approximately 30% over a 12-week period encompassing both the Drift Protocol and KelpDAO incidents.

The attacker immediately began laundering proceeds through THORChain, converting stolen ETH to Bitcoin — a pattern consistent with Lazarus Group’s established TraderTraitor playbook. TRM Labs confirmed that THORChain processed the vast majority of proceeds from both the 2025 Bybit breach and the 2026 KelpDAO hack, converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers.

The Mitigation Strategy

Rapid intervention prevented further catastrophe. KelpDAO successfully paused contracts to block a second tranche of approximately $95 million in additional theft. The Arbitrum Security Council, coordinating with law enforcement and Chainalysis, froze over 30,000 ETH of the attacker’s downstream funds — approximately $75 million recovered before it could be laundered further.

This incident exposed a critical architectural weakness in cross-chain bridge design: the reliance on single-verifier configurations. LayerZero has since recommended multi-DVN setups for all bridge deployments, requiring at least two independent verification networks to agree before releasing funds. The single point of failure that enabled this attack — one DVN, one source of truth — must become a relic of early DeFi architecture.

Lessons Learned

The KelpDAO exploit demonstrates that the most dangerous attacks in crypto are not the ones that break code — they are the ones that exploit the infrastructure surrounding the code. Traditional security tools missed this entirely because every on-chain transaction was valid. What was needed was cross-chain invariant monitoring: continuous verification that tokens released on a destination chain mathematically match tokens burned on the source chain.

For protocols operating cross-chain bridges, the lesson is clear. Multi-verifier configurations are no longer optional. RPC node diversity — running independent nodes across different providers and geographic regions — creates the redundancy needed to survive targeted infrastructure attacks. And real-time cross-chain reconciliation, not just transaction monitoring, should be the baseline standard for any bridge holding significant TVL.

TRM Labs reports that North Korean groups stole approximately $577 million from just two attacks in 2026 — Drift Protocol ($285 million) and KelpDAO ($292 million) — accounting for 76% of all crypto hack losses through April. North Korea’s cumulative crypto theft now exceeds $6 billion since 2017, with their share of global hack losses climbing from under 10% in 2020 to 76% in early 2026. The sophistication of these operations is accelerating, with TRM analysts noting that North Korean operators are incorporating AI tools for reconnaissance and social engineering workflows.

User Action Required

If you hold rsETH or interact with KelpDAO’s restaking products, verify your positions against the protocol’s official recovery tracker. Users who deposited into Aave positions collateralized by rsETH should check for bad debt exposure and consider rebalancing into more stable collateral types. For any DeFi user, the KelpDAO incident reinforces a fundamental rule: understand the verification architecture of any bridge you trust with your funds. A 1-of-1 verification setup means a single compromised node can drain everything.

This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.