Crypto News

$290 Million Stolen: North Korean Hackers Strike Again in Massive DeFi Heist

By Telemac

Share

$290 Million Stolen: North Korean Hackers Strike Again in Massive DeFi Heist

Last weekend, Kelp DAO, a liquid restaking protocol built on Ethereum, fell victim to a cybersecurity attack of unprecedented scale in the decentralized finance sector. Nearly $290 million in cryptocurrency was drained in a matter of minutes, making this breach the largest DeFi exploit of 2026 so far. The attack has been attributed with near certainty to the TraderTraitor group, a division of the infamous Lazarus Group, believed to operate on behalf of the Pyongyang regime in North Korea. This latest incursion into the crypto ecosystem comes just weeks after the Drift protocol hack in early April, which saw $285 million stolen on the Solana blockchain, bringing the total diverted by North Korean actors to over $575 million in under three weeks.

Background

Since the mid-2010s, hackers affiliated with North Korea have progressively transformed cryptocurrency theft into a state-sponsored industry. These operations are no longer the work of isolated individuals motivated by personal profit: they constitute a structured activity funded by the Kim Jong Un regime, with proceeds serving to fuel both the country’s weapons programs and circumvent international economic sanctions. According to estimates from several blockchain security firms, including Elliptic and Chainalysis, North Korean hackers managed to divert more than $2 billion in 2025 alone. Over the entire period since 2017, cumulative losses total approximately $6 billion — a sum that exceeds the gross domestic product of many nations.

The TraderTraitor group, first identified by US intelligence services in 2021, is one of the most active divisions within this cybercriminal ecosystem. Initially specialized in targeted phishing campaigns and social engineering — identity theft of developers, creation of fake cryptocurrency projects — the group has significantly evolved its methods. In recent months, TraderTraitor has demonstrated an increasing ability to identify and exploit technical vulnerabilities in DeFi protocols, shifting from scams to genuine systemic intrusion.

The Kelp DAO attack perfectly illustrates this evolution. Rather than directly targeting the smart contracts of a single protocol, the attackers focused on the junction point between two infrastructures — in this case, LayerZero’s cross-chain messaging system and Kelp DAO’s validation configuration. This approach allowed them to circumvent security mechanisms that would otherwise have blocked a direct extraction attempt on an isolated contract.

The Facts

Events unfolded on Saturday, April 19, 2026. At 17:35 UTC, an attacker successfully extracted 116,500 rsETH from Kelp DAO’s LayerZero bridge reserves. At the time, this amount of Ethereum restaking tokens represented approximately $292 million. More strikingly, this sum corresponds to nearly 18% of the total circulating supply of rsETH, estimated at 630,000 tokens according to CoinGecko data. This means approximately one-fifth of all existing tokens were extracted — a proportion that immediately renders the protocol’s reserve deficit.

The technical mechanism of the attack warrants detailed explanation. Kelp DAO is a liquid restaking protocol, meaning it allows ETH holders to deposit their tokens with the EigenLayer protocol to earn additional yields on top of standard Ethereum staking rewards. In return, Kelp DAO issues the rsETH token, representing the deposit position and usable in other DeFi applications. The problem arises with the cross-chain bridge: Kelp DAO’s rsETH was deployed across more than twenty different blockchain networks — Base, Arbitrum, Linea, Blast, Mantle, Scroll, and others — using LayerZero’s OFT (Omnichain Fungible Token) standard. This standard allows a token to circulate across multiple blockchains while maintaining a constant total supply.

The attackers exploited this architecture by manipulating LayerZero’s messaging system. By sending a falsified message indicating that a valid instruction had arrived from another blockchain network, they deceived Kelp DAO’s bridge into releasing the 116,500 rsETH to an address controlled by the pirates. The key vulnerability lay in Kelp DAO’s verifier configuration, described as a « 1-of-1 verifier » — a single signature suffices to validate a cross-chain transaction, whereas a stricter configuration would have required multiple independent validations.

Kelp DAO’s response was relatively swift. Forty-six minutes after the initial theft, at 18:21 UTC, the protocol’s emergency pause multisig successfully secured the core contracts. Two subsequent attempts, at 18:26 UTC and 18:28 UTC, both failed: each carried the same LayerZero packet attempting to drain an additional 40,000 rsETH, worth approximately $100 million at current prices. In total, approximately $95 million was saved in extremis through this intervention. The protocol immediately suspended operations and launched an investigation in collaboration with LayerZero, Unichain, and several blockchain security audit firms.

The controversy between Kelp DAO and LayerZero adds an extra dimension to this affair. LayerZero publicly attributed responsibility for the flaw to Kelp DAO’s default configuration, arguing that the application protocol was responsible for its own security choices. Conversely, Kelp DAO denied this and blamed LayerZero’s infrastructure, creating a heated technical debate over where exactly the validation chain was compromised. This dispute raises fundamental questions about the division of responsibilities in the cross-chain bridge ecosystem — a topic already at the heart of DeFi community concerns following similar hacks in recent years.

Analysis

The Kelp DAO hack marks a turning point in the TraderTraitor group’s methodology. Cybersecurity analysts have observed a significant evolution in the tactics employed by North Korean hackers over recent months. Where early campaigns primarily targeted individuals through social engineering techniques — fraudulent job offers, fake airdrops, bogus trading sites — the group now demonstrates an increasing capacity to carry out more technical and automated operations.

The exploitation of a « 1-of-1 verifier » configuration rather than a flaw in cryptographic code is particularly revealing. The attackers did not need to break any encryption algorithms or compromise private keys. They simply identified a weakness in a protocol’s default configuration and exploited it with surgical precision. This approach requires an intimate understanding of how DeFi protocols and their interactions work — a level of expertise that strongly suggests TraderTraitor has access to advanced technical capabilities and substantial research resources.

The pace of North Korean attacks in 2026 is particularly concerning. With more than $575 million stolen in under three weeks — including $285 million from Drift on April 1 and $290 million from Kelp DAO the following weekend — the annual total will likely exceed 2025 records. This acceleration can be partly explained by the Pyongyang regime’s growing financial needs, subjected to increasingly strict international sanctions and amplified economic difficulties due to the country’s growing diplomatic isolation.

Beyond the immediate financial aspect, the Kelp DAO attack highlights the systemic fragility inherent in cross-chain DeFi protocol architecture. When a restaking token is deployed across twenty different chains via a central bridge, the security of the entire system depends on the weakest link. Here, the reserve backing wrapped versions of rsETH on L2 networks was partially drained. Holders of these tokens on Arbitrum, Base, or elsewhere must now ask whether their positions retain redemption value in ETH on Ethereum — or whether they have become zombies, theoretically worthless.

Market Reactions

Market participants’ response was swift. Within hours of the public revelation of the incident, several major DeFi protocols took preventive measures to contain potential contagion. Aave, one of the largest decentralized lending protocols, immediately froze rsETH markets on its V3 and V4 versions. Stani Kulechov, the protocol’s founder, publicly stated that Aave’s own contracts had not been compromised and that the exploit came from an external factor. Despite this clarification, the AAVE token still fell approximately 10% during the day, with the market pricing in a risk premium related to potential passive debt and broader DeFi sentiment deterioration.

SparkLend and Fluid followed suit by also freezing their rsETH markets. Lido Finance, the largest Ethereum staking protocol, suspended new deposits into its earnETH product, which exposes users to rsETH through composed strategies. Lido nevertheless emphasized that its core products — stETH and wstETH — were unaffected by the incident and that Ethereum’s core staking protocol presented no vulnerabilities. For its part, Ethena, the USDe stablecoin issuer, temporarily interrupted its LayerZero OFT bridges from Ethereum mainnet as a precaution. The company declared it had no exposure to rsETH and maintained a collateralization ratio exceeding 101% for its deposits.

The consequences on rsETH price were immediate and significant. Selling pressure intensified as wrapped token holders across different blockchains attempted to exit their positions before a potential generalization of the crisis. Kelp DAO’s teams and external auditors are now closely monitoring the attacker-associated wallets, hoping to trace the funds and, with luck, freeze a portion before they are laundered through mixers such as Tornado Cash.

Outlook

In the short term, the absolute priority is recovering a portion of the stolen funds. Experience shows that the chances of recovering stolen cryptocurrency decrease exponentially over time, particularly when attackers have access to sophisticated mixing tools like Tornado Cash, already massively used by North Korean groups in the past. The coming days will be decisive in determining whether security teams can act quickly enough to freeze a portion of the assets.

For investors holding rsETH or positions in protocols using liquid restaking, the strictest caution is advised. The situation highlights the multiple risks inherent in complex DeFi protocols: the security of a token deployed across twenty chains via a cross-chain bridge depends not only on the origin protocol, but also on every bridge, every deployment, and every verification configuration. A single flaw in one link of this chain can irreversibly compromise the entire system.

On the regulatory and geopolitical front, this latest major attack risks fueling criticism from regulatory authorities against the DeFi ecosystem. Already targeted by several UN Security Council reports as facilitating the laundering of state-sponsored cybercrime proceeds, DeFi protocols could face increased regulatory pressure in multiple jurisdictions. The broader crypto community will likely need to demonstrate its ability to strengthen security standards and transparency to avoid more restrictive legislative measures that could impact the entire ecosystem.

Sources

Telemac
Telemachttp://cryptoinfo.ch

Contenu [hide]

Lire la Suite

Articles