Cross-chain messaging protocol LayerZero has attributed a breach of liquid restaking platform Kelp DAO to North Korea's Lazarus Group, specifically its TraderTraitor subunit, though it described that attribution as one made with "preliminary confidence." The attack, which unfolded between 17:35 and 18:21 UTC on April 18, drained approximately 116,500 rsETH tokens (Kelp's receipt token for restaked Ethereum) worth roughly $292 million at the time. The exploit spread across more than 20 blockchain networks, reflecting the cross-chain reach of LayerZero's bridge infrastructure. That figure makes it the largest single crypto exploit of 2026, surpassing the $285 million Drift Protocol hack from April 1, also attributed to Lazarus Group, by about $7 million. The two incidents together represent more than $577 million in losses attributed to the same North Korean unit in just 18 days.

The vulnerability was not a code flaw. It was a configuration choice.

LayerZero's security model gives each integrating application control over its own verifier setup via a Decentralized Verifier Network (DVN). A DVN is essentially the system of independent checkers that confirms whether a cross-chain transaction is legitimate before it is processed. Kelp DAO had configured its bridge to use a single verifier rather than requiring consensus across multiple independent ones. LayerZero says it had previously recommended against this setup. In an official statement, LayerZero said: "KelpDAO chose to utilize a 1/1 DVN configuration. A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised."

Attackers exploited this gap through a sophisticated infrastructure poisoning operation. According to on-chain forensic analysis from Innora.ai, a cluster of nine attacker addresses was involved in the exploit. In the hours before the attack, gas fees were pre-staged through Tornado Cash using small 0.1 ETH deposits across five wallets, a pattern designed to avoid detection.

The attackers then compromised two remote procedure call (RPC) nodes, the servers protocols rely on to read blockchain state, and launched a denial-of-service attack on others to force failover to their poisoned infrastructure. Malicious software planted on those nodes was designed to feed false data exclusively to LayerZero's single verifier while appearing accurate to every other system monitoring the same nodes. After the funds were drained, the malware deleted its own files and logs to destroy forensic evidence. Post-attack, on-chain data shows the attackers held approximately 75,700 ETH (around $189 million) on Ethereum and a further 30,765 ETH (around $77 million) on Arbitrum. The attacker's net equity appears to be near zero because stolen funds remain frozen in markets at roughly 99% loan-to-value ratios, making liquidation difficult.

The damage spread rapidly across DeFi infrastructure.

The approximately 18% of rsETH's circulating supply that was drained hit lending markets hard. Aave, one of DeFi's largest lending protocols, saw its total value locked fall by $8.45 billion to $17.95 billion. Utilization of Aave's WETH (Wrapped Ether) lending pool reached 100% as a result of attacker borrowing and collateral positions, meaning depositors could not withdraw funds. Users pulled roughly $5.4 billion in ETH and WETH from the platform in the period following the exploit.

The bad debt sitting in Aave's reserves now stands at approximately $196 to $200 million. Aave's own insurance mechanism, the Umbrella fund, holds only around $50 million, leaving a gap of roughly $146 to $150 million that the protocol's governance community will need to address through a formal vote on reserve drawdowns or the slashing of staked AAVE tokens. Emergency freezes were also activated across SparkLend, Fluid, and Lido Finance. The AAVE governance token fell around 16%, while rsETH dropped roughly 20%.

For users outside the United States, the consequences are direct.

In East Africa, where DeFi protocols have become a practical tool in part because they offer access to dollar-denominated yields that local banking options often cannot match, the rsETH price decline and Aave liquidity freeze lock users out of positions they may depend on. BitKE, a Nairobi-based blockchain publication, covered the story within hours, reflecting how closely African Web3 communities track this class of infrastructure risk. The contagion also extends to projects building on USDC-settled DeFi stacks across the region: the Drift Protocol hack in April triggered a class-action complaint involving Circle's USDC, a development that carries direct relevance for African platforms relying on the same settlement layer.

In South Asia, Indian retail and institutional DeFi users face similar exposure. Across the Asia-Pacific region, institutional DeFi adoption grew from 27% to 69% in recent years, according to data from QuickNode and CoinLaw, a trajectory that substantially widens the blast radius when major protocols fail. The region's exposure is not hypothetical: in November 2025, South Korea's Upbit exchange suffered a suspected Lazarus-linked $30 million drain, demonstrating the group's established presence across Asia-Pacific DeFi infrastructure.

Beyond immediate losses, the DPRK IT worker dimension carries a separate warning for developers in both regions. OFAC sanctioned six individuals and two entities in March 2026 for running DPRK-backed developer infiltration schemes that generated around $800 million in 2024. The group has embedded operatives in nearly 40 DeFi projects, including SushiSwap, THORChain, and Fantom. As remote blockchain hiring grows across Sub-Saharan Africa and South Asia, OFAC and Chainalysis findings indicate that identity verification for contributors has become a concrete operational security requirement rather than a procedural formality.

The policy and protocol response is already reshaping the ecosystem.

LayerZero has announced it will stop signing messages for any project using a 1-of-1 DVN configuration going forward. The protocol is conducting a joint investigation with SEAL Org (Security Emergency Response organization) and plans to publish a full post-incident report. Every protocol currently using LayerZero's bridge standard will need to audit its verifier configuration or risk being locked out of the protocol entirely. The Lazarus Group, which has stolen an estimated $6.75 billion in crypto across its known history and accounted for roughly 60% of all global crypto theft in 2025, stole $2.02 billion in that year alone, a 51% increase over the prior year. That escalating trajectory shows no sign of reversing.