KelpDAO Suffers $292M Exploit Linked to North Korea’s Lazarus Group
On April 18, decentralized finance (DeFi) protocol KelpDAO fell victim to a $292 million exploit, now confirmed to be the work of the North Korean state-backed Lazarus Group. The attack, the largest DeFi breach of 2026, targeted a vulnerability in the protocol’s cross-chain bridge, powered by LayerZero Labs’ infrastructure.
The Lazarus Group executed a sophisticated attack by poisoning the decentralized validation network’s downstream RPC infrastructure. Through coordinated denial-of-service (DoS) attacks and control of key nodes, the threat actors manipulated the network into accepting malicious data, enabling them to forge cross-chain transactions. The incident highlights the growing sophistication of state-affiliated cyber threats in the DeFi space.
Investigations revealed a critical architectural flaw in KelpDAO’s design a single-point-of-failure configuration using a one-of-one (1/1) validation setup. Despite industry warnings against such setups, the protocol lacked redundant verifiers, allowing the forged transactions to go undetected. The breach has prompted widespread industry action, with multiple DeFi platforms freezing their cross-chain bridges to prevent similar attacks.
The fallout has been severe, triggering a liquidity crisis across major lending platforms like Aave as users rushed to withdraw assets amid fears of bad debt exposure. Total value locked (TVL) in DeFi has contracted sharply, reflecting heightened risk aversion. The incident has also reignited debates over the safety of restaked assets as collateral, pushing protocols toward institutional-grade security standards.
As the DeFi sector grapples with the aftermath, the exploit underscores the vulnerabilities inherent in complex cross-chain architectures and the consequences of prioritizing speed over security. The event marks a turning point in how the industry assesses and mitigates systemic risks.
Source: https://financefeeds.com/kelpdao-security-breach-blamed-on-lazarus-group/
KernelDAO cybersecurity rating report: https://www.rankiteo.com/company/kernel-dao
LayerZero Labs cybersecurity rating report: https://www.rankiteo.com/company/layerzerolabs
"id": "KERLAY1776675144",
"linkid": "kernel-dao, layerzerolabs",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Decentralized Finance (DeFi)',
'name': 'KelpDAO',
'type': 'DeFi protocol'},
{'industry': 'Decentralized Finance (DeFi)',
'name': 'Aave',
'type': 'DeFi lending platform'}],
'attack_vector': 'Cross-chain bridge vulnerability, RPC infrastructure '
'poisoning, denial-of-service (DoS)',
'date_detected': '2026-04-18',
'date_publicly_disclosed': '2026-04-18',
'description': 'On April 18, decentralized finance (DeFi) protocol KelpDAO '
'fell victim to a $292 million exploit, now confirmed to be '
'the work of the North Korean state-backed Lazarus Group. The '
'attack targeted a vulnerability in the protocol’s cross-chain '
'bridge, powered by LayerZero Labs’ infrastructure. The '
'Lazarus Group executed a sophisticated attack by poisoning '
'the decentralized validation network’s downstream RPC '
'infrastructure through coordinated denial-of-service (DoS) '
'attacks and control of key nodes, enabling them to forge '
'cross-chain transactions.',
'impact': {'brand_reputation_impact': 'Heightened risk aversion, '
'industry-wide security concerns',
'financial_loss': '$292 million',
'operational_impact': 'Liquidity crisis, asset withdrawals, frozen '
'cross-chain bridges',
'systems_affected': 'Cross-chain bridge, downstream RPC '
'infrastructure, DeFi lending platforms (e.g., '
'Aave)'},
'initial_access_broker': {'entry_point': 'Cross-chain bridge vulnerability'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Vulnerabilities in complex cross-chain architectures, '
'consequences of prioritizing speed over security, risks '
'of single-point-of-failure validation setups, need for '
'institutional-grade security standards in DeFi.',
'motivation': 'Financial gain, state-sponsored cyber threat',
'post_incident_analysis': {'corrective_actions': 'Freezing cross-chain '
'bridges, industry-wide '
'security reviews, push '
'toward institutional-grade '
'security standards',
'root_causes': 'Single-point-of-failure in 1/1 '
'validation setup, lack of '
'redundant verifiers, sophisticated '
'manipulation of downstream RPC '
'infrastructure'},
'recommendations': 'Implement redundant verifiers, enhance cross-chain bridge '
'security, adopt institutional-grade security measures, '
'improve risk assessment for restaked assets as '
'collateral.',
'references': [{'source': 'Incident report'}],
'response': {'containment_measures': 'Freezing cross-chain bridges'},
'threat_actor': 'Lazarus Group',
'title': 'KelpDAO Suffers $292M Exploit Linked to North Korea’s Lazarus Group',
'type': 'Exploit',
'vulnerability_exploited': 'Single-point-of-failure in 1/1 validation setup, '
'lack of redundant verifiers'}