Key Takeaways
- North Korea’s Lazarus Group allegedly drained $292 million in rsETH via compromised LayerZero RPC nodes and a DDoS-triggered failover.
- Contagion spread to Aave, where stolen rsETH was used as collateral to borrow over $196 million in ETH, triggering $6 billion in TVL outflows and bad debt across DeFi.
- Following the $285 million Drift hack earlier this month, the incident highlights growing systemic risks from insider access, bridges, and composability.
The decentralized finance (DeFi) sector is reeling after one of its largest exploits to date.
On April 18, 2026, attackers drained roughly $292 million from KelpDAO’s liquid restaking protocol in an incident security experts have preliminarily linked to North Korea’s Lazarus Group.
What initially appeared to be a single protocol breach quickly escalated into something far more serious.
The exploit exposed structural weaknesses in DeFi infrastructure and triggered immediate fallout across interconnected platforms like Aave—raising fresh concerns about systemic risk across the ecosystem.
How the KelpDAO Hack Unfolded
The attack centered on KelpDAO’s rsETH bridge, which relies on LayerZero’s cross-chain messaging infrastructure.
In total, attackers drained 116,500 rsETH (18% of the token’s circulating supply) valued at approximately $292 million at the time.
According to LayerZero’s incident report, the exploit did not target KelpDAO’s core smart contracts. Instead, it focused on a weaker point: infrastructure.
Hackers compromised two RPC nodes used by KelpDAO’s LayerZero verifier.
They then launched a DDoS attack to force a system failover, effectively tricking the verifier into approving forged cross-chain messages.
This allowed them to move funds out of the bridge without authorization.
The key vulnerability stemmed from configuration. KelpDAO relied on a single verifier setup, despite prior recommendations to implement a multi-verifier system for redundancy.
The attack played out within minutes, underscoring how a seemingly minor infrastructure decision can lead to large-scale losses.
KelpDAO responded quickly by pausing core contracts via its emergency multisig, preventing further damage.
By that point, however, the funds had already been moved and converted into wrapped ETH across multiple chains.
Contagion Spreads: Aave and DeFi Markets Hit
The real impact emerged after the initial exploit.
Attackers used the stolen rsETH as collateral on lending platforms—primarily Aave V3, but also Compound V3 and Euler.
From there, they borrowed large amounts of ETH, with Aave alone seeing roughly $196 million in borrowed funds tied to the exploit.
This created immediate bad debt across protocols, with total exposure exceeding $236 million.
Aave responded by freezing the rsETH markets across its V3 and V4 deployments.
Founder Stani Kulechov confirmed that Aave’s core contracts remained secure, but the collateral damage was unavoidable.
Aave’s total value locked (TVL) dropped by an estimated $6-6.6 billion within hours as users rushed to withdraw funds.
ETH utilization rates surged to 100% in some pools, limiting liquidity and making withdrawals difficult.
The AAVE token fell between 10% and 16% during the disruption.
The ripple effects extended well beyond Aave. At least nine DeFi platforms with rsETH exposure implemented freezes or precautionary pauses.
Even unrelated protocols saw outflows as confidence across the sector weakened.
Lazarus Group’s Expanding Reach in DeFi
The KelpDAO exploit fits into a broader and increasingly concerning pattern.
North Korea’s Lazarus Group, also tracked under names such as TraderTraitor and UNC4736, has spent years infiltrating crypto infrastructure.
According to security researcher Taylor Monahan, operatives linked to the group may be embedded in over 40 DeFi projects.
Their methods go beyond traditional hacking.
These actors use long-term social engineering tactics, including fake identities, job applications, conference networking, and sustained collaboration to build trust.
In many cases, they contribute legitimate work before exploiting access to keys, infrastructure, or governance systems.
Estimates suggest Lazarus has stolen between $6 billion and $7 billion in crypto since 2017, with activity accelerating in 2026.
April alone has seen major incidents:
Drift Protocol (April 1): ~$280–285 million stolen in a long-term social engineering attack involving malware and insider access.
KelpDAO (April 18): ~$292 million exploit tied to infrastructure compromise and bridge manipulation.
Reports indicate at least a dozen similar incidents in early 2026, with attackers increasingly combining insider access, infrastructure weaknesses, and protocol composability.
Why DeFi’s Design Is Being Stress-Tested
These attacks highlight a difficult reality: the same features that make DeFi powerful—open access, composability, and rapid innovation—can also amplify risk.
Bridges, in particular, remain a major point of vulnerability, accounting for a large share of historical losses.
Meanwhile, the growing use of shared infrastructure, oracles, and cross-protocol integrations increases the potential for cascading failures.
The economic impact is already visible.
Billions in liquidity have exited major protocols.
Token prices have dropped, and confidence has weakened.
If similar exploits continue—or if multiple systems are hit simultaneously—the risk of broader market disruption grows.
Some analysts warn that a coordinated series of failures could trigger a DeFi-wide liquidity crisis, echoing past collapses but on a larger scale.
What Comes Next
The KelpDAO exploit is unlikely to be the last of its kind.
LayerZero has already called for stronger safeguards, including mandatory multi-verifier setups and improved RPC security.
More broadly, the industry faces pressure to strengthen defenses across multiple fronts.
Potential responses include stricter auditing standards, better detection of insider threats, enhanced monitoring of cross-chain activity, and new forms of shared risk mitigation.
The challenge, however, is coordination.
DeFi’s decentralized structure makes it difficult to implement unified security standards, even as threats become more sophisticated.
For now, the message is clear: the ecosystem is entering a new phase, where infrastructure risk and adversarial actors are becoming as important as code-level vulnerabilities.
KelpDAO may be the latest example—but it is unlikely to be the last.
[internal-linking title=”Top Trending Crypto Articles” url1=”https://www.ccn.com/crypto-exchanges/” text1=”Check Out Our Recommended Exchanges Here” label1=”Best Exchanges” url2=”https://www.ccn.com/how-to-buy-crypto-with-credit-card/” text2=”How To Buy Crypto with a Credit Card Now” label2=”Buy Crypto Fast” url3=”https://www.ccn.com/crypto-gambling/”
Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.
His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.
Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape’s narrative.
