North Korea’s Lazarus Group stole approximately 292 million dollars from the KelpDAO bridge last Saturday, April 18. According to a preliminary analysis published by LayerZero this Monday, the attackers used forged messages to extract 116,500 rsETH. The incident triggered an immediate liquidity crisis, which caused massive withdrawals worth 10 billion in Aave due to widespread user panic.
LayerZero identified the TraderTraitor subunit as the technical party responsible for the breach. This specific North Korean intelligence group is previously linked to the Ronin and WazirX attacks because of its high technical sophistication.
— LayerZero (@LayerZero_Core) April 20, 2026
According to researcher Samczsun from Paradigm, these operations run under the DPRK’s Reconnaissance General Bureau. The precision of the exploit suggests that attackers monitored the bridge for months before executing the final drain of funds to external addresses.
Single verifier vulnerability forces drastic changes at LayerZero
The security architecture of KelpDAO featured a critical design flaw that attackers exploited with surgical precision. The protocol decided to use a single verifier to authorize critical transactions in its interoperability infrastructure. Despite prior warnings from LayerZero, the KelpDAO team failed to implement the necessary redundancy of multiple independent validators. This setup allowed a partial infrastructure compromise to result in the total loss of assets held within the smart contract.
To carry out the theft, the attackers managed to manipulate the verifier communication lines on Unichain using forged data. By feeding the system a non-existent withdrawal confirmation and simultaneously taking secondary verification routes offline, they forced the node to rely on the malicious input. Shalev Keren, co-founder of security firm Sodot, noted that no external audit would have caught this flaw without questioning the unilateral trust placed in the bridge architecture itself.
This event marks a troubling pattern in the second quarter of 2026 following the Drift Protocol attack that drained 285 million in April through social engineering. While the Drift incident relied on infiltrating fake identities, the KelpDAO hack demonstrates an evolution toward the direct manipulation of blockchain technology and its communication channels. The scale of both attacks in less than three weeks suggests a coordinated offensive against the market’s most significant liquidity protocols.
In direct response, LayerZero announced it will stop approving messages for any application that maintains single-verifier configurations. This measure aims to force a migration toward decentralized security models to prevent further drains of institutional capital. As Tether seeks to expand its cross-chain rails to improve operational efficiency, the industry faces the challenge of eliminating these single points of failure that jeopardize sector stability.
Cyvers researchers revealed that the attackers were only three minutes away from draining another 100 million dollars in assets. A rapid blacklisting response and intervention from infrastructure providers managed to contain the damage before the impact became irreversible for the restaking ecosystem. Currently, the stolen funds are moving through five Ethereum addresses identified by on-chain analyst ZachXBT, having been initially funded via the Tornado Cash mixer.
Market recovery will depend on Aave’s ability to normalize its rsETH markets and progress in asset traceability. Users should monitor the audit reports of the bridges they use, prioritizing those with distributed validator networks.
This article is for informational purposes and does not constitute financial advice.
