CryptoHigh ImpactUpdated×43•Originally published 20 April 2026•Updated 22 April 2026•

1 min read

LayerZero Blames Kelp for $294M Exploit, Links Attack to Lazarus Group

Key Facts

1LayerZero attributed the $290 million exploit to Kelp's setup and the ignoring of multi-verifier recommendations.

2The attack involved compromising two RPC nodes and DDoS-ing others, with attribution to North Korea's Lazarus Group.

Tensions between LayerZero and Kelp DAO have intensified following the April 18, 2026, exploit totaling $294 million, with the attack attributed to North Korea's Lazarus Group. While Dune Analytics data shows 50% of LayerZero applications use minimal security levels, new on-chain evidence has detected the laundering of $80 million in stolen ETH via THORChain. This suspicious activity caused THORChain swap volumes to skyrocket to $394 million, a massive surge considering daily volumes were typically under $35 million prior to the exploit. These developments follow a parallel $285 million theft from Drift Protocol, as the Lazarus Group continues to launder assets across the Ethereum and Bitcoin networks. The scale of these incidents has put cross-chain security under intense scrutiny, potentially prompting stricter regulatory oversight within the DeFi sector. The situation underscores the escalating threat posed by state-backed actors to decentralized financial infrastructure.

about 2 months ago

Version History

4 additional sources confirmed this story

Version 43about 2 months ago

Version 42about 2 months ago

Version 41about 2 months ago

Version 40about 2 months ago

What changed: Added baseline volume data for THORChain to contextualize the magnitude of the $394 million surge.

Version 39about 2 months ago

What changed: New on-chain evidence identifies THORChain as the primary venue for laundering $80 million of the stolen funds, evidenced by a significant spike in protocol volume.

Version 38about 2 months ago

What changed: Added new data from Dune Analytics revealing that 50% of LayerZero apps use basic security levels, highlighting systemic vulnerabilities in the ecosystem.

Version 37about 2 months ago

What changed: The story was updated to reflect that the Lazarus Group has extended laundering operations to the Bitcoin network and to highlight the potential for stricter regulatory backlash in the DeFi sector.

Version 36about 2 months ago

What changed: Added information regarding a new $285 million exploit by the Lazarus Group targeting the Drift Protocol on the Solana network.

Version 35about 2 months ago

What changed: Updated the total exploit value to $294 million and included Kelp DAO's formal denial of any internal system involvement.

Version 34about 2 months ago

What changed: The attacker has transitioned from holding the stolen assets to active laundering, utilizing privacy-preserving protocols and fresh wallet addresses to move $175 million in ETH.

Version 33about 2 months ago

What changed: Added the specific exploit date (April 18, 2026), the exact amount of stolen assets (116,500 rsETH), and historical context regarding the Lazarus Group's activities.

Version 32about 2 months ago

What changed: Arkham Intelligence was identified as the verified source confirming the movement of $175 million in stolen Ether.

Version 31about 2 months ago

What changed: Updated the story to include details of the attacker moving $175 million in Ether to initiate money laundering activities.

Version 30about 2 months ago

What changed: The attacker has initiated cross-chain movement of the stolen $292 million in response to the Arbitrum Security Council's asset freeze.

Version 29about 2 months ago

What changed: The story was updated to include reports indicating that 47% of applications on the LayerZero protocol may face similar security risks.

Version 28about 2 months ago

What changed: Kelp DAO formally countered LayerZero's claims, asserting that the vulnerability stemmed from LayerZero's own default configurations rather than Kelp's negligence.

Version 27about 2 months ago

What changed: Updated the story to include the Arbitrum Security Council's intervention to freeze $71.5M in stolen assets and the resulting debate over decentralization.

Version 26about 2 months ago

What changed: The story was updated to include the crypto community's backlash against LayerZero, questioning its security philosophy and the effectiveness of its verifier-based solutions in preventing future exploits.

Version 25about 2 months ago

What changed: Added the specific date of the exploit (April 18) and included Kelp DAO's formal rejection of sole liability for the security breach.

Version 24about 2 months ago

What changed: Added details regarding the timing of the attack (weekend), the precision of execution, and identified the KelpDAO cross-chain bridge as the specific vector of the exploit.

Version 23about 2 months ago

What changed: Identified the exploited asset as rsETH and adjusted the total value to $292 million.

Version 22about 2 months ago

What changed: The update highlights Kelp DAO's specific counter-argument that the security vulnerability originated from LayerZero's own default software configurations rather than a manual misconfiguration by Kelp.

Version 21about 2 months ago

What changed: Kelp DAO added a counter-claim stating that the vulnerable security configuration was LayerZero's default setting.

Version 20about 2 months ago

What changed: The story was updated to include details on Kelp allegedly ignoring security advice regarding its 'Single DVN' configuration and a massive $8.9 billion TVL drop in Aave linked to bad debt.

Version 19about 2 months ago

What changed: The story was updated to highlight the industry-wide reaction, specifically the urgent calls for diversified infrastructure and enhanced security standards across DeFi protocols.

Version 18about 2 months ago

What changed: Added statements from Ripple CTO David Schwartz and specified the exploit date (April 18) and the specific asset stolen (rsETH).

Version 17about 2 months ago

What changed: Added information regarding the expansion of North Korean cyber-tactics and their persistent targeting of the DeFi sector.

Version 16about 2 months ago

What changed: LayerZero officially denied financial contagion, while the update notes shifting market sentiment toward skepticism of bridge security and concentrated validation.

Version 15about 2 months ago

What changed: Specified the 'TraderTraitor' cluster involvement and added details regarding systemic risks to DeFi oracles and restaking integrations.

Version 14about 2 months ago

What changed: Kelp DAO shifted the blame back to LayerZero, identifying the compromised verifier as LayerZero's own infrastructure and noting the vulnerability was in LayerZero's default onboarding settings.

Version 13about 2 months ago

What changed: The report was updated to specify that $228 million of the total loss was siphoned in ETH via the KelpDAO bridge.

Version 12about 2 months ago

What changed: Updated the story to include Kelp DAO's counter-claims blaming LayerZero's default configurations and the initiation of an emergency security migration.

Version 11about 2 months ago

What changed: Added the specific date of the exploit (April 18, 2026), identified the affected networks (Ethereum and Arbitrum), and specified the rsETH configuration vulnerability.

Version 10about 2 months ago

What changed: Identified Kelp's DVN setup as the technical cause and added information regarding potential losses for the Aave protocol.

Version 9about 2 months ago

What changed: Added technical details regarding forged cross-chain messages, the near-execution of a second fund drain, and the attackers' efforts to wipe digital traces.

Version 8about 2 months ago

What changed: The story was updated to highlight mounting investor pressure and the urgent questions regarding liability and the reimbursement process for the $293M loss.

Version 7about 2 months ago

What changed: Added technical details regarding LayerZero's prior warning about the single-verifier configuration and reports that the damage is now contained.

Version 6about 2 months ago

What changed: Identified KelpDAO's backing (YZi Labs/CZ) and clarified that the exploit occurred specifically through the protocol's cross-chain bridge mechanism.

Version 5about 2 months ago

What changed: Updated total losses to $293 million, noted that Aave protocol has frozen its markets, and specified that the exploit targeted Kelp DAO's rsETH token.

Version 4about 2 months ago

What changed: Updated total exploit value to $292M and specified the vulnerability as a single Decentralized Verifier Network (DVN) configuration error.

Version 3about 2 months ago

What changed: The update provides the specific date of the exploit (April 18, 2026) and identifies the 'TraderTraitor' subgroup within the Lazarus Group as the responsible party.

Version 2about 2 months ago

What changed: Identified DefiLlama as the source for TVL data and characterized the Kelp DAO vulnerability specifically as a 'single-point setup' failure.

Version 1about 2 months ago

What changed: Added market impact data, noting a 7% decline in the total value locked (TVL) across the DeFi sector following the exploit.