The Biggest Crypto Heist of the Year
On April 18, 2026, attackers stole approximately $290 million worth of cryptocurrency from KelpDAO, a decentralized finance protocol built on the Ethereum network, marking the largest digital asset theft of the year. LayerZero Labs, the cross-chain infrastructure provider caught in the crossfire, attributed the attack to TraderTraitor, a specialized unit within North Koreas Lazarus Group, citing preliminary technical indicators pointing to a highly sophisticated state-sponsored operation. The heist comes merely weeks after the same threat actors allegedly siphoned $285 million from the Drift Protocol, bringing the total stolen by North Korean hackers in April alone to over $575 million.
The attack targeted rsETH, a liquid restaking token issued by KelpDAO that represents staked Ethereum earning yields while remaining usable across other decentralized applications. By exploiting weaknesses in the cross-chain verification process, the thieves drained 116,500 rsETH tokens valued at roughly $293 million before laundering portions of the funds through Tornado Cash, a cryptocurrency mixing service designed to obscure transaction trails. A United Nations panel has previously estimated that North Korea has stolen more than $3 billion in cryptocurrency since 2017, using these illicit proceeds to help fund its nuclear weapons development program.
This incident represents more than isolated criminal activity. Security analysts view it as evidence of an accelerating campaign by Pyongyang against the decentralized finance ecosystem, one that exposes fundamental vulnerabilities in how cross-chain bridges and verification mechanisms operate. The theft has sent shockwaves through the cryptocurrency industry, prompting lending giant Aave to freeze markets and triggering billions in withdrawals from affected protocols.
How the Cross-Chain Exploit Worked
KelpDAO operates as a liquid restaking protocol, allowing users to deposit Ethereum and receive rsETH tokens in return. These derivative tokens represent the underlying staked assets while continuing to earn rewards through EigenLayer, a restaking infrastructure on Ethereum. Through interoperability layers like LayerZero, rsETH can move across different blockchain networks, increasing flexibility but also expanding the potential attack surface. This cross-chain functionality became the entry point for the largest crypto exploit recorded this year.
The attackers targeted the Decentralized Verifier Network, or DVN, responsible for validating messages between different blockchains. Rather than exploiting a flaw in KelpDAOs smart contract code itself, the hackers manipulated the infrastructure supporting these verification operations. They compromised specific Remote Procedure Call nodes, which serve as communication endpoints allowing applications to read blockchain data, and injected falsified data into the verification layer.
To amplify their attack, the threat actors simultaneously launched distributed denial-of-service attacks against legitimate RPC nodes. This barrage degraded the availability of trusted data sources and forced the system to rely on the compromised nodes that were feeding false information. Essentially, the attackers poisoned the validation process, enabling fraudulent cross-chain messages to be accepted as legitimate even though the underlying transactions never actually occurred on the blockchain.
A critical vulnerability enabled this deception. KelpDAO utilized a single-DVN configuration for its cross-chain operations, meaning only one verifier checked the validity of messages rather than requiring consensus from multiple independent validators. LayerZero stated that this setup created a single point of failure, allowing the forged message to pass without additional verification. The attackers used a custom payload designed explicitly to forge a message to the DVN with minimal warnings, enabling the unauthorized transfer of rsETH tokens to wallets under their control.
LayerZero and KelpDAO Trade Accusations
In the aftermath of the heist, LayerZero and KelpDAO have engaged in a public dispute regarding responsibility for the security breach. LayerZero maintains that the incident resulted entirely from KelpDAOs decision to operate with a single-verifier configuration despite recommendations to implement multiple independent DVNs. The company emphasized that it had previously communicated best practices around DVN diversification to KelpDAO and that a properly hardened configuration requiring consensus across multiple verifiers would have rendered this attack ineffective.
LayerZero released a detailed technical postmortem explaining the RPC spoofing attack methodology and asserting that zero contagion exists to other cross-chain assets or applications using different configurations. The company announced it would stop signing messages for applications running single-verifier setups to prevent similar incidents. LayerZero identified the specific threat actor as TraderTraitor, a subgroup within the Lazarus Group known for targeting cryptocurrency platforms.
KelpDAO disputed this characterization, arguing that they had operated on LayerZero infrastructure since January 2024 while maintaining open communication channels with the LayerZero team. According to KelpDAO, questions regarding DVN configuration arose during their Layer 2 expansion, and defaults were affirmatively confirmed as appropriate at that time. The protocol contends that LayerZeros default setup facilitated the vulnerable configuration, challenging the notion that users should bear full responsibility for security parameters that were presented as standard options.
Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message. LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration.
Security experts have weighed in on this debate, noting that security depending on users reading documentation and manually selecting safer options represents a fundamental design flaw in decentralized systems. David Schwed, chief operating officer at blockchain security firm SVRN, observed that if a configuration is identified as unsafe, it should not be shipped as an available option. This reflects a broader tension in the Web3 ecosystem between decentralization ideals and the practical need for secure defaults.
Cascading Impact on Decentralized Finance
The theft extended far beyond KelpDAO itself, illustrating the interconnected nature of modern decentralized finance protocols. Because rsETH serves as collateral across multiple lending platforms, the exploit created systemic risk that rippled through the ecosystem within hours. Aave, one of the largest decentralized lending protocols, registered a nearly $8 billion drop in total value locked as investors rushed to withdraw assets. The protocol froze rsETH markets across Ethereum, Arbitrum, Base, Mantle, and Linea to prevent further exposure.
The attackers demonstrated sophisticated financial engineering by depositing stolen rsETH into Aave v3 as collateral and borrowing wrapped Ether, creating approximately $195 million in debt on the platform. As users rushed to withdraw assets to avoid potential losses, Aave v3 lending pools reached full utilization, temporarily blocking over $5.1 billion in stablecoins from being accessed. Compound and Euler protocols also reported impacts from the incident, though they implemented emergency measures to limit contagion.
Cardano founder Charles Hoskinson analyzed the exploit during a livestream, distinguishing between the initial theft and the subsequent contagion through lending markets. He noted that the novelty lay not in the bridge forgery itself but in how the attacker used stolen rsETH as collateral to borrow liquid assets, transforming a simple theft into a balance-sheet crisis for at least nine protocols. This secondary attack vector turned poisoned collateral into a weapon against the broader DeFi ecosystem.
The market reacted violently to the news. The rsETH token swung between $1,600 and $2,500 in the first 24 hours as liquidity providers pulled support. Total value locked across DeFi fell by roughly $13 billion in the 48 hours following the incident. Arbitrums Security Council managed to freeze approximately 30,766 ETH worth $71 million, representing roughly a quarter of the stolen funds, though the majority remained under the attackers control.
Lazarus Group and State-Sponsored Theft
The attribution to North Koreas Lazarus Group fits a well-established pattern of state-sponsored cryptocurrency theft designed to circumvent international sanctions and fund weapons programs. TraderTraitor, the specific subgroup identified in this attack, has been linked to multiple major heists over recent years, including the $1.5 billion theft from Bybit earlier in 2026 that stands as the largest crypto heist in history. United Nations monitors have documented how Pyongyang channels these illicit proceeds directly into its nuclear and ballistic missile development.
Security researchers note that North Korean cyber operations have evolved from opportunistic attacks against exchanges to sophisticated, patient intrusions targeting the fundamental infrastructure of decentralized finance. Alexander Urbelis, chief information security officer at ENS Labs, characterized these incidents not as isolated events but as a sustained cadence of operations. He emphasized that groups like Lazarus are not merely walking away richer but are walking away better, using stolen resources to scale tooling, refine techniques, and reinvest in future campaigns.
These environments are not being tested by smash and grab actors, they are being pressured by disciplined adversaries who understand how to chain together weak points across infrastructure, applications, and trust relationships.
The attack methodology reveals an evolution in Lazarus targeting strategies. Rather than exploiting smart contract vulnerabilities or stealing private keys, the group has begun focusing on cross-chain and restaking infrastructure, the plumbing that connects different blockchain networks. These layers are technically complex, often hold substantial value, and tend to be harder to monitor than surface-level applications. By compromising verification infrastructure rather than application logic, the attackers demonstrated intimate knowledge of how decentralized systems trust and validate information.
Henri Arslanian, co-founder of Nine Blocks Capital Management, expressed certainty regarding the attribution. No other group globally has the expertise and muscle power to conduct such a hack, he stated, noting that the technical sophistication and operational security displayed in the KelpDAO exploit align exclusively with state-level capabilities. The use of Tornado Cash for laundering, combined with the multi-stage attack involving both infrastructure compromise and social engineering elements, supports this assessment.
Negotiation Attempts and Security Lessons
In an unusual move, billionaire Tron Network founder Justin Sun publicly pleaded with the hackers to return the stolen funds. Taking to social media, Sun offered to negotiate directly with the attackers, asking how much they wanted while arguing that it was simply not worth sacrificing both Aave and KelpDAO. His intervention highlighted the severity of the systemic risk posed by the exploit, particularly given that addresses linked to HTX, the exchange owned by Sun, had sent hundreds of millions to accounts on Aave.
Kelp DAO hacker, how much you want? Let’s talk. With Kelp DAO’s help, of course. It’s simply not worth it to sacrifice both Aave and Kelp DAO and let them go down over this hack. You can’t spend $300 million anyway.
The incident has sparked intense debate within the blockchain security community regarding the balance between decentralization and safety. Charles Hoskinson argued that the failure lay in the verification logic rather than application logic, pointing out that a three-of-five verifier setup rather than a one-of-one configuration would have blocked the forgery. This criticism extends to the broader Ethereum ecosystem, where complex cross-chain interactions create dependencies that can amplify single points of failure.
Security professionals are advocating for zero-trust architectures that assume compromise will occur and enforce strict verification across complex environments. Recommended mitigations include hardening RPC endpoints, implementing multi-party consensus mechanisms, deploying robust DDoS defenses, and introducing circuit breakers that can automatically pause transactions when anomalies are detected. The KelpDAO exploit demonstrates that in decentralized finance, the strength of the entire chain depends on the controls at each link, and when one link breaks, the consequences cascade rapidly.
For new entrants to the DeFi world, the heist serves as a stark reminder that decentralization is not a binary property but a series of choices about trust and verification. As North Koreas cyber operations continue to adapt and expand, the industry faces mounting pressure to implement security by default rather than security by recommendation, ensuring that the most secure options are the easiest to use rather than buried in technical documentation.
The Essentials
- North Koreas Lazarus Group, specifically the TraderTraitor subgroup, is suspected of stealing approximately $290 million in rsETH tokens from KelpDAO on April 18, 2026
- The attack exploited a single-verifier configuration in KelZero’s cross-chain infrastructure, allowing hackers to forge verification messages and drain funds
- Attackers compromised RPC nodes and launched DDoS attacks to force the system to rely on poisoned data sources
- The heist caused systemic contagion across DeFi, forcing Aave to freeze markets and triggering $8 billion in withdrawals from lending protocols
- LayerZero and KelpDAO have publicly disputed responsibility, with LayerZero citing unsafe configuration choices and KelpDAO claiming they followed default settings
- The incident represents the second major North Korean crypto theft in April 2026, following a $285 million heist from Drift Protocol
- Approximately $71 million of the stolen funds have been frozen by Arbitrum’s Security Council, while the majority was laundered through Tornado Cash
- United Nations panels estimate North Korea has stolen over $3 billion in cryptocurrency since 2017 to fund nuclear weapons development
