Lazarus $290M heist

A North Korea-linked hacking crew is being blamed for a roughly $290 million cryptocurrency theft from KelpDAO, the biggest crypto heist reported so far in 2026. (layerzero.network) LayerZero said the exploit hit KelpDAO’s rsETH setup on April 18 and let the attacker drain about 116,500 rsETH, worth roughly $290 million to $292 million at the time. CoinDesk reported the stolen tokens represented about 18% of rsETH’s circulating supply. (layerzero.network) (coindesk.com) The attack did not break Ethereum itself. LayerZero said the intruder poisoned remote procedure call, or RPC, infrastructure used by its Decentralized Verifier Network, then exploited KelpDAO’s one-verifier configuration to push through a forged cross-chain message. (layerzero.network) (coindesk.com) Cross-chain systems act like couriers between blockchains, carrying instructions from one chain to another. In this case, LayerZero said the forged instruction made KelpDAO release tokens that were not actually backed by deposits on the other side. (layerzero.network) (docs.layerzero.network) The theft spread beyond one wallet because rsETH was already woven into decentralized finance lending and trading. CoinDesk reported the attacker moved the unbacked rsETH into Aave as collateral and borrowed wrapped ether against it, while KelpDAO paused contracts and partners moved to limit further damage. (coindesk.com) (securityweek.com) LayerZero said the compromise was isolated to KelpDAO’s rsETH configuration and that other assets and applications on the protocol were not affected. That claim came as KelpDAO and LayerZero publicly pointed to different weak points in the setup, with LayerZero blaming KelpDAO’s single-DVN choice. (layerzero.network) (coindesk.com) The Lazarus attribution is significant because the group has been repeatedly tied to cryptocurrency thefts that investigators say help fund North Korea’s state programs. LayerZero said its preliminary indicators pointed to Lazarus, specifically the TraderTraitor cluster, and multiple news outlets matched that assessment this week. (layerzero.network) (upi.com) The laundering pattern also fit Lazarus’s reputation. Security reports described rapid cross-chain movements and obfuscation after the theft, a familiar playbook in earlier North Korea-linked crypto cases. (bleepingcomputer.com) (securityweek.com) This heist landed in the middle of a broader run of Lazarus-linked activity in April. CoinDesk reported a separate $270 million Drift Protocol exploit on April 1 that Drift also tied to a North Korean operation, adding to fresh alerts around the group’s campaigns. (coindesk.com) (cisa.gov) The immediate next step is recovery, not certainty. LayerZero said it replaced the affected RPC nodes and restored its verifier, while KelpDAO and partner protocols continue to sort out losses from a theft that turned one forged message into nearly $290 million gone. (layerzero.network) (securityweek.com)