A sophisticated cyberattack drained roughly $292 million from KelpDAO’s cross-chain bridge, with infrastructure provider LayerZero attributing the breach to North Korea’s Lazarus Group. The attackers exploited a single verification channel, not a flaw in the bridge itself, forcing a $10 billion withdrawal cascade in decentralized finance.
Attackers stole 116,500 rsETH from the KelpDAO bridge on Saturday. LayerZero stated the exploit was “likely” the work of North Korea’s Lazarus Group, specifically its TraderTraitor subunit, according to a preliminary analysis. The breach triggered withdrawals that pulled over $10 billion from lending protocol Aave.
LayerZero explained that KelpDAO had relied on a single verifier to approve bridge transfers. Security experts noted this created a critical vulnerability. “The vault was fine. The guard was honest. The door mechanism worked correctly,” said Cyvers CTO Meir Dolev, describing the attack as a sophisticated deception of the verification channel.
The attackers corrupted two communication lines used by the verifier to check withdrawal validity on Unichain. They fed fake confirmation signals through these compromised lines and then disabled the remaining channels, forcing the verifier to accept the false data. This method allowed the theft without directly breaching the bridge’s core security.
LayerZero had reportedly urged KelpDAO to adopt multiple verifiers for redundancy. The company stated it will now stop approving messages for any application still using a single-verifier setup. The stolen funds have been tracked to a specific Ethereum address, which was flagged by on-chain investigator ZachXBT in a separate report.
This incident follows another major exploit earlier this month, where roughly $285 million was drained from Solana-based protocol Drift, also attributed to North Korean operatives. Cyvers noted the KelpDAO attack involved malware designed to erase itself post-operation, obscuring the attackers’ trail. While patterns match DPRK-linked operations, definitive wallet clustering ties to Lazarus Group have not been confirmed.
