chain analysis He stated on April 18, 2026 that the cybercriminals were believed to be affiliated with North Korea. Lazarus Group He pulled off one of the biggest DeFi heists of the year, withdrawing approximately $292 million (rsETH 116,500) from KelpDAO’s LayerZero-powered bridge. Unlike typical smart contract vulnerabilities, this breach targeted off-chain infrastructureIt exposes critical weaknesses in cross-chain verification systems.
chain analysis He noted that the incident highlights how even regulated protocols remain vulnerable when single points of failure exist in supported networks.
The attack focused on the use of KelpDAO. LayerZeroBridging adapter to transfer rsETH between chains.
The setup relied on Decentralized Validator Networks (DVNs) to confirm transactions from the source chain Unichain.
In a risky configuration common for new distributions, KelpDAO used a single validator (LayerZero Labs DVN) creating a 1-to-1 dependency. Attackers exploited this by compromising two internal RPC nodes operated by LayerZero.
They gained access to DVN’s node list, injected malware into isolated clusters, and simultaneously launched a DDoS attack on an external RPC node.
This forced the system to rely solely on defective internal nodes.
The compromised nodes deliberately reported fabricated block data, falsely indicating that rsETH had been burned on Unichain. Such a burn has never occurred.
With the fake message verified by a single DVN, EthereumThe party contract sent the entire 116,500 rsETH to addresses controlled by the attacker.
Each step on the chain—message transfer, signature verification, and fund transfer—appeared to be legitimate, avoiding traditional monitoring tools that only scan individual transactions.
The KelpDAO team quickly detected the anomaly and activated emergency pauses on Ethereum and Layer 2 distributions.
They blacklisted the attacker’s addresses and, in collaboration with security firm SEAL-911, successfully blocked a tracking attempt that could have resulted in the loss of an additional $95 million (rsETH 40,000).
On April 20, working with law enforcement, the Arbitrum Security Council froze more than 30,766 people. ETH Transferring stolen revenues to subaddresses prevents immediate laundering while preserving chain integrity for other users.
chain analysis Analysts emphasize that this exploit is successful because bridges adhere to a fundamental cross-chain invariant: assets released on the target chain must exactly match assets burned or locked to the source.
Here, the ghost release threatened liquidity pools and collateral systems by creating unbacked rETH. token. Because the manipulation occurred entirely off-chain, traditional audits and transaction monitors completely missed the breach.
Urgent lessons highlighted at event DeFi infrastructure. Single validator setups and over-reliance on any party’s RPC infrastructure pose unacceptable risks in high-value bridges.
Industry professionals recommend multiple DVN configurations and real-time immutable monitoring tools It is capable of cross-referencing burns and oscillations between chains.
Such systems can trigger rapid pauses before funds are exchanged or bridged further.
Although rapid response limits total losses, attack It serves as an alarming wake-up call, reminding us that proper governance, coordinated freezes, and advanced detection layers are now necessary to protect decentralized finance from state-sponsored threats. chain analysis He concluded that as investigations continue, the case may reveal additional tactics used by the TraderTraitor subgroup of the notorious Lazarus Group.
