North Korean state-backed hackers are likely behind a $290 million crypto theft that hit KelpDAO on Saturday, with the attack also affecting Compound, Euler and Aave.
KEY FACTS
- Target KelpDAO’s rsETH liquid restaking system on Ethereum.
- Impact About 116,500 rsETH were stolen, worth roughly $293 million.
- Response The project paused rsETH contracts across Ethereum mainnet and L2 networks.
- Attribution LayerZero said the indicators point to Lazarus Group, specifically TraderTraitor.
KelpDAO said it detected suspicious cross-chain activity involving rsETH on April 18 and paused the related contracts while it investigated with LayerZero, Unichain and other partners.
The project’s rsETH token is designed to let users keep earning restaking yield while remaining usable across DeFi, including through LayerZero’s interoperability layer.
Blockchain activity showed the stolen assets were moved through Tornado Cash to obscure the trail. LayerZero said the attackers targeted the verification layer used for cross-chain messages, compromised some RPC nodes, and DDoS-ed healthy nodes to force reliance on corrupted data.
The system then accepted a fake cross-chain message as valid, which allowed rsETH to be moved without authorization. A LayerZero disclosure said the evidence points to a highly sophisticated state actor, likely DPRK’s Lazarus Group.
Aave also said it froze rsETH-related activity and blocked new deposits or borrowing using rsETH as collateral. The report said the incident was isolated to rsETH and did not affect other apps or assets.
WHY IT MATTERS
The breach highlights the risks in cross-chain DeFi systems, where a compromise in verification infrastructure can let unauthorized transfers appear valid. It also adds to a series of large crypto thefts linked to North Korean hackers this year.