Summary
On April 18, 2026, attackers linked to North Korea’s Lazarus Group stole ~$292 million (116,500 rsETH) from KelpDAO’s LayerZero bridge. Crucially, this was not a smart contract hack, but a sophisticated attack on off-chain infrastructure.
The attackers compromised internal RPC nodes and DDoS’d external nodes to feed false data to a single-point-of-failure verification network (a 1-of-1 DVN setup). This tricked the Ethereum contract into releasing funds based on a phantom token “burn” on the source chain.
Traditional security tools missed the attack because every on-chain transaction looked completely valid. Spotting this type of exploit requires cross-chain invariant monitoring — continuously verifying that tokens released on a destination chain mathematically match tokens burned on the source chain.
Rapid intervention prevented further damage. KelpDAO successfully paused contracts to block a second $95 million theft, and the Arbitrum Security Council, coordinating with law enforcement, froze over 30,000 ETH of the attacker’s downstream funds.
