KelpDAO is a liquid restaking protocol built on EigenLayer, the restaking infrastructure whose total value locked grew from $1.1 billion to more than $18 billion between 2024 and 2025. Before the hack, KelpDAO held over $2 billion in TVL and issued rsETH, a liquid restaking token deployable across more than 40 DeFi platforms, making it one of the higher-value targets in the ecosystem.

LayerZero's April 20 incident statement and subsequent reporting by TechCrunch, drawing on the FBI's TraderTraitor subunit classification, have preliminarily linked North Korea's Lazarus Group to the theft of approximately $292 million worth of rsETH from KelpDAO last Saturday. The attribution remains preliminary.

The attack unfolded over roughly 80 minutes between 10:20 and 11:40 a.m. PT, targeting LayerZero's cross-chain bridge infrastructure and triggering what is believed to be the largest DeFi exploit of 2026 so far.

Some estimates, including those from the Economic Times, round the total to $300 million, though on-chain data points to $292 million as the more precise figure.

---

How the Attack Worked

The exploit was carefully staged. Around ten hours before the drain, six attacker wallets received small funding transactions routed through Tornado Cash, a crypto mixing service. On the day of the attack, the perpetrators compromised two RPC nodes (servers that relay transaction data) feeding information to LayerZero's Decentralized Verifier Network, or DVN. These poisoned nodes fed false data exclusively to the verifier while displaying accurate data everywhere else, keeping the manipulation invisible to standard monitoring tools. Attackers then flooded the remaining healthy backup nodes with junk traffic, a distributed denial-of-service attack that forced LayerZero's verifier to rely on the already-compromised servers. With the verifier deceived, a fraudulent cross-chain message was approved, releasing 116,500 unbacked rsETH tokens to the attacker, a figure equivalent to approximately 18 percent of rsETH's total circulating supply. The malware then self-destructed, wiping local logs and binaries.

The attackers did not simply cash out. They deployed the stolen rsETH as collateral on Aave V3, a major DeFi lending protocol, and borrowed against it before rsETH lost its peg to Ethereum. This left Aave holding approximately $177 million in bad debt. One analyst, speaking to CoinDesk Markets, described the mechanic plainly: "It's similar to conning a traditional bank by depositing fake fiat and taking out loans against it, ultimately leaving the lender with bad debt."

---

A Public Blame War Over Default Settings

The attack triggered a public dispute between LayerZero and KelpDAO over who bears responsibility. LayerZero's April 20 incident statement opened by asserting that "KelpDAO chose to utilize a 1/1 DVN configuration" and argued that "a properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised." The statement pointed specifically to KelpDAO's use of a 1-of-1 DVN setup, meaning a single verifier with no redundancy.

KelpDAO pushed back, stating that the 1-of-1 configuration is LayerZero's own documented default, used by roughly 40 percent of all protocols on the network. KelpDAO also noted that the compromised servers were LayerZero's own infrastructure. Independent developer Artem K, known on-chain as @banteg, confirmed that LayerZero's V2 quickstart documentation defaults to single-source verification on Ethereum, BSC, Polygon, Arbitrum, and Optimism.

This means KelpDAO's vulnerability is not unique: roughly 40 percent of all protocols on LayerZero's network may share the same configuration.

LayerZero co-founder Bryan Pellegrino said the team was working to "harden security across every possible vector for applications" and that initial investigations had been "largely resolved," with further updates forthcoming.

---

On-Chain Damage and Containment Efforts

KelpDAO activated an emergency pause approximately 46 minutes after the drain, blocking an estimated $200 million in additional potential losses.

The Arbitrum Security Council froze around 30,766 ETH (approximately $71 million) on April 20. Despite this, blockchain analytics firm Arkham Intelligence and on-chain researcher EmberCN tracked roughly 75,700 ETH (approximately $175 million) moving to Ethereum mainnet after the freeze, with laundering routes running through Umbra Cash and THORChain, which was used specifically to convert ETH into Bitcoin as part of the obfuscation chain.

Total DeFi TVL (total value locked, a measure of assets deposited across protocols) fell from roughly $99.5 billion before the hack to $86.3 billion within 48 hours, a decline of $13.21 billion. Aave saw $8.45 billion in deposit outflows over the same period, alongside a $300 million emergency borrowing surge as users rushed to reposition, according to Sherwood News. Aave's governance token AAVE dropped roughly 2.5 percent. Nine additional major protocols including Euler, SparkLend, and Fluid reported secondary effects.

---

Regional Exposure: India, Africa, and the Global South

KelpDAO was integrated into more than 40 DeFi platforms globally, meaning the impact extends well beyond any single geography.

In India, one of the world's largest retail crypto markets, a meaningful cohort of technically active users had deployed rsETH across Aave V3, Euler, and SparkLend for enhanced ETH yield. Those positions are likely impaired as a result of the exploit.

The incident is also likely to deepen the Indian Financial Intelligence Unit's skepticism toward DeFi, reinforcing a regulatory posture that already leans cautious on cross-border decentralized protocols. That caution is reflected in India's registration of 10 offshore crypto exchanges under the Prevention of Money Laundering Act between 2023 and 2024.

In Africa, where users in Nigeria, Kenya, and South Africa increasingly rely on Aave for stablecoin lending and yield, the $8.45 billion Aave TVL drop and temporary market disruptions created concrete liquidity friction. The LayerZero bridge, often the most accessible and lowest-cost route into DeFi from mobile-first environments, is now a named vulnerability. Projects building on LayerZero-integrated infrastructure across African developer communities in Lagos and Nairobi face renewed scrutiny from local investors.

The exploit also surfaces a broader geopolitical concern documented by Chainalysis and U.S. Treasury analysts: DPRK laundering routes frequently pass through jurisdictions with lighter anti-money-laundering regimes, including several across South and Southeast Asia and sub-Saharan Africa, where enforcement of international sanctions remains ambiguous. For developer ecosystems in those regions, this creates compounded risk from both direct exposure through integrated protocols and indirect exposure through regulatory blowback on the broader DeFi category.

---

A Widening Pattern With Geopolitical Stakes

The KelpDAO heist did not occur in isolation. On April 1, 2026, the Drift Protocol lost $285 million in an attack also attributed to Lazarus Group, meaning the same North Korean unit has reportedly extracted more than $575 million from DeFi in 18 days through structurally different methods.

Lazarus Group is estimated to have stolen at least approximately $6.75 billion in crypto since 2022, with analysts cautioning that the figure represents a lower-bound estimate and that the actual total may be considerably higher.

In 2025 alone, DPRK-linked actors stole an estimated $2.02 billion, accounting for 60 to 76 percent of all global crypto service-level thefts, according to NBC News and Security Boulevard.

The U.S. Treasury sanctioned six DPRK-linked IT worker network facilitators on March 12, 2026, and UN and U.S. Treasury experts have consistently assessed that stolen crypto funds North Korea's nuclear and ballistic missile programs. The Treasury's March 2026 sanctions action noted that schemes in 2024 alone generated nearly $800 million for North Korea's weapons of mass destruction programs.

For developers building cross-chain applications on LayerZero's default settings, security analysts are unambiguous: the out-of-box configuration is not a security-hardened configuration, and any protocol still running a 1-of-1 DVN setup should treat this as an urgent remediation priority.