---

On April 18, 2026, hackers drained approximately 116,500 rsETH (worth between $290 million and $294 million) from KelpDAO's cross-chain bridge, which runs on LayerZero's messaging protocol. KelpDAO is a liquid restaking protocol built on Ethereum's EigenLayer system, with more than $2 billion in total value locked before the hack; rsETH is the receipt token users receive in exchange for restaked ETH, giving it cross-chain exposure through bridge infrastructure. LayerZero has preliminarily attributed the attack to TraderTraitor, a subunit of North Korea's Lazarus Group, which has become the most prolific theft operation in crypto history. The exploit ranks as the largest DeFi hack of 2026 so far, and it hit an ecosystem that was already on edge.

How the Attack Worked

The attackers executed three coordinated steps. First, they compromised two RPC (remote procedure call) nodes that feed into LayerZero's Decentralised Verifier Network, the system responsible for confirming cross-chain messages. Second, they launched a distributed denial-of-service attack between 10:20 and 11:40 a.m. Pacific Time, knocking out legitimate external nodes and forcing the network to fall back on the poisoned ones. Third, with the compromised nodes now in control, the attackers approved a fraudulent message that released the rsETH funds. The malicious node software then deleted itself to remove forensic traces.

Within 72 hours, blockchain analytics firm Arkham Intelligence tracked the attackers moving funds in two large Ethereum transfers, one of $117 million and one of $58 million, totalling $175 million to new addresses. On-chain data shows approximately $1.5 million has already been bridged to Bitcoin via THORChain (a decentralised cross-chain exchange), while around $78,000 has been routed through Umbra, a privacy protocol. Both methods are consistent with documented Lazarus Group laundering patterns.

LayerZero and KelpDAO Trade Blame

LayerZero's post-mortem focused on a configuration decision it says KelpDAO made. The bridge ran a 1-of-1 verifier setup, meaning a single validator node was sufficient to approve any cross-chain transaction with no backup check required. "A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised," LayerZero stated on April 20.

KelpDAO pushed back sharply. The protocol argues that the single-verifier configuration is LayerZero's own documented default, not a deviation from recommended practice. Security researcher Artem K., a developer at Yearn Finance, confirmed that LayerZero's V2 OApp Quickstart guide ships with single-source verification as the default across multiple networks. KelpDAO also said that despite communication with LayerZero dating to January 2024, it never received specific guidance to change its verifier configuration. Roughly 40 percent of protocols on the LayerZero network currently run the same setup, according to CoinDesk.

Arbitrum Freezes $71.5 Million

The Arbitrum Security Council took the unusual step of freezing 30,766 ETH (approximately $71.5 million) that remained on the network and could be traced to the exploit. Described as one of the fastest chain-level interventions in DeFi history, the action drew immediate attention in part because of the speed with which it was carried out. The council acknowledged that the decision involved "technical, practical, ethical and political" considerations before it proceeded. The frozen funds can only be released through further Arbitrum governance action.

The intervention drew immediate criticism. The ability of a council to unilaterally freeze on-chain assets contradicts how many users understand blockchain networks to function. NewsBTC described the action as "exposing crypto's biggest lie," a characterisation that landed with particular weight given that decentralised finance has positioned trustlessness and censorship resistance as core features.

Ripple Effects Across DeFi

The market reaction was severe. Total value locked across DeFi fell by $13.21 billion in 48 hours following the hack, settling at approximately $85.64 billion, the lowest level since April 2025. Aave, a major lending protocol where rsETH is used as collateral, saw its TVL drop $8.45 billion. Utilisation in Aave's USDT, USDC, and ETH markets briefly hit 100 percent; at that threshold, suppliers cannot withdraw assets until borrowers repay, severely restricting withdrawals during the most volatile period of the crisis. Llamarisk estimates Aave faces between $123.7 million and $230.1 million in potential bad debt exposure depending on how losses are ultimately allocated. Llamarisk and Unchained Crypto also estimate that rsETH could depeg by approximately 15 percent under a worst-case loss allocation scenario, a risk with direct consequences for any holder using rsETH as collateral.

Regional Stakes

The consequences extend well beyond Ethereum native users. In South Asia and Sub-Saharan Africa, where DeFi protocols have gained traction as alternatives to unreliable banking infrastructure, the stablecoin liquidity freeze hit especially hard. Users in Nigeria, India, Pakistan, and Kenya who rely on USDT or USDC for cross-border remittances were effectively barred from Aave withdrawals for hours during the crisis. TRM Labs has documented that North Korean laundering networks favour USDT on Tron as an intermediate asset, the same asset that users in those regions depend on for low-cost dollar transfers. The Arbitrum freeze also reignited concerns among communities that adopted crypto specifically to escape government-controlled asset seizures: a chain-level freeze ordered by a council is functionally similar to the kind of financial censorship DeFi was supposed to prevent.

A Worsening Pattern

The KelpDAO hack is not an isolated event. On April 1, Drift Protocol on Solana lost $285 million in an attack that Elliptic, TRM Labs, and Chainalysis attributed to DPRK-linked actors. In that case, attackers posed as a quantitative trading firm for six months before exploiting a Solana feature called "durable nonces" to execute pre-signed transactions that had sat dormant. Across just 18 days in April 2026, the crypto industry absorbed $606 million in losses from 12 separate hacks, as of April 20, according to CryptoTimes.

Lazarus Group has now stolen an estimated $6.75 billion in crypto since 2022, according to Chainalysis. The group stole $2.02 billion across all of 2025, including $1.5 billion from Bybit in February of that year, which was at the time the largest single crypto heist ever recorded. The KelpDAO attack marks a further escalation in that trajectory. U.S. intelligence and a Wall Street Journal investigation estimate that cybercrime accounts for roughly half of North Korea's foreign currency income. With two hacks totalling more than $575 million in a single month, regulators in markets still drafting crypto frameworks, including India, Nigeria, Kenya, Bangladesh, Sri Lanka, and South Africa, are likely to face renewed pressure to impose stricter identity verification requirements on DeFi platforms. That could close access pathways that retail users in those regions currently depend on.