Ethical Hacking News
The Lazarus Group's $290 million heist on Kelp DAO highlights the growing threat of state-sponsored hacking in the DeFi space. To understand the full scope of this attack and its implications for the industry, read our in-depth article on the Lazarus APT's sophisticated attack on Kelp DAO.
The Lazarus Group, affiliated with North Korea, stole $290 million from Kelp DAO's DeFi platform.The group exploited a vulnerability in LayerZero's infrastructure to execute an RPC-spoofing attack.The attack compromised two RPCs used by LayerZero's DVN node, allowing malicious transactions to pass through.Kelp DAO was unable to prevent the theft entirely but took steps to limit its impact.The breach highlights the need for robust security measures and diversity in verifier setups in the DeFi industry.
In a shocking turn of events, hackers affiliated with North Korea's Lazarus Group have successfully stolen $290 million from the decentralized finance (DeFi) platform Kelp DAO. The breach, which occurred on April 18, 2026, has sent shockwaves throughout the crypto industry, highlighting the growing threat of state-sponsored hacking and the vulnerability of DeFi protocols to sophisticated attacks.
According to reports, the Lazarus Group exploited a vulnerability in LayerZero's infrastructure, specifically targeting the verification layer rather than the core protocol. The attackers manipulated two RPCs (Remote Procedure Calls) used by LayerZero's DVN node to verify transactions, compromising them and using them to send fake but valid-looking messages. This allowed malicious transactions to pass through, ultimately resulting in the theft of 116,500 rsETH, equivalent to approximately $293 million.
The attack was particularly sophisticated, leveraging a quorum of compromised RPCs to execute an RPC-spoofing attack. This type of attack takes advantage of the trust placed in decentralized systems by exploiting vulnerabilities in the underlying infrastructure. In this case, the Lazarus Group exploited a single point of failure in Kelp DAO's "1-of-1" verifier setup, which only utilized one DVN to verify transactions.
Despite its best efforts to mitigate the damage, Kelp DAO was unable to prevent the theft entirely. However, the platform has taken steps to limit the impact, including freezing activity and blacklisting wallets associated with the exploiter. Additionally, partners like Arbitrum Security Council have frozen funds to prevent further losses.
The breach has significant implications for the DeFi industry, highlighting the need for robust security measures and diversity in verifier setups. LayerZero's modular design prevented the attack from spreading to other apps, but the incident underscores the importance of following industry best practices, including configuring a multi-DVN setup with diversity and redundancy.
According to reports, LayerZero confirmed that its infrastructure and protocol worked as designed, isolating the damage. However, Kelp DAO has faced criticism for not adhering to recommended security practices, despite prior warnings from LayerZero and other external parties.
The Lazarus Group's attack on Kelp DAO is just one example of the growing threat of state-sponsored hacking in the DeFi space. As the popularity of decentralized finance continues to grow, it is essential that platforms prioritize robust security measures and compliance with industry best practices.
In conclusion, the $290 million heist perpetrated by North Korea's Lazarus Group on Kelp DAO serves as a stark reminder of the vulnerability of DeFi protocols to sophisticated attacks. As the DeFi space continues to evolve, it is crucial that platforms prioritize security, diversity, and compliance with industry best practices to prevent similar incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Lazarus-APTs-290-Million-Heist-An-Examination-of-North-Koreas-Sophisticated-Attack-on-Kelp-DAO-ehn.shtml
https://securityaffairs.com/191092/digital-id/north-koreas-lazarus-apt-stole-290m-from-kelp-dao.html
https://www.securityweek.com/290-million-kelp-dao-crypto-heist-blamed-on-north-korea/
https://cybersixt.com/a/WAteTQilhC5fsHre7wryB5
https://attack.mitre.org/groups/G0032/
https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks
Published: Tue Apr 21 15:55:23 2026 by llama3.2 3B Q4_K_M
