KelpDAO Blames LayerZero for $292M Lazarus Group Hack as Public Dispute Escalates

The Largest DeFi Hack of 2026

North Korea's Lazarus Group has pulled off the largest decentralised finance theft of the year, draining approximately $292 million worth of rsETH tokens from KelpDAO's cross-chain bridge on April 18, 2026. According to a post-mortem published by LayerZero on April 20, the attacker called a single function on LayerZero's EndpointV2 contract and extracted 116,500 rsETH, representing roughly 18% of the token's circulating supply.

On-chain investigator ZachXBT first flagged the breach, identifying six attacker wallets pre-funded through Tornado Cash approximately ten hours before the drain began at 5:35 p.m. UTC.

How the Attack Worked

Rather than exploiting a smart contract bug, the attackers took a more sophisticated path. They compromised two RPC nodes feeding data into LayerZero's Decentralised Verifier Network, then launched a distributed denial-of-service attack against healthy nodes to force a failover to the poisoned endpoints. Because KelpDAO used a single 1-of-1 verifier configuration, there was no independent check to reject the forged cross-chain message. KelpDAO's emergency multisig managed to pause contracts 46 minutes later, blocking two follow-up attempts each targeting an additional 40,000 rsETH.

Contagion Across DeFi

The stolen tokens were immediately deposited into Aave V3 as collateral, letting the attacker borrow large amounts of wrapped ether before routing the proceeds back through Tornado Cash. Aave froze its rsETH markets, followed by Compound, SparkLend, and others. DeFi total value locked fell roughly 7% in 24 hours to around $86 billion, with more than $10 billion in outflows from Aave alone. On April 20, Arbitrum's Security Council froze 30,766 ETH, roughly $71 million, linked to the exploit.

The Blame Game

KelpDAO has publicly pushed back against LayerZero's narrative, arguing its 1-of-1 DVN setup followed LayerZero's documented defaults and that the compromised validator infrastructure is part of LayerZero's own stack. LayerZero maintains the protocol itself was not broken and that it had repeatedly advised KelpDAO to adopt a multi-verifier configuration. The company now says it will refuse to sign messages for any application running a single-DVN setup. The incident arrives less than three weeks after the $285 million Drift Protocol exploit, extending a stretch where more than $600 million has left DeFi protocols in April alone.