A cyberattack that drained nearly $290 million from Kelp DAO has been linked by security researchers to North Korea’s Lazarus Group, according to preliminary analyses released after the incident.
The exploit took place on April 18, 2026, targeting a cross-chain bridge used by Kelp DAO, a decentralised finance protocol that allows users to earn yield on digital assets. Attackers withdrew approximately 116,500 rsETH tokens, valued at close to $292 million at the time.
LayerZero, the infrastructure provider supporting the bridge, stated that the attack was “likely” carried out by the Lazarus Group, a state-linked hacking organisation associated with North Korea. The attribution was based on observed technical patterns and operational methods, although some analysts noted that full confirmation remains under investigation.
The Lazarus Group has been previously linked by authorities to multiple cyber operations targeting financial systems and cryptocurrency platforms. It is widely described by security agencies as a state-sponsored group operating under North Korea’s intelligence structures.
According to technical analyses, the attackers exploited a weakness in the bridge’s verification setup. The system relied on a single validator to confirm transactions, allowing the attackers to manipulate the verification process and authorise fraudulent withdrawals.
Further investigation indicated that the attackers forged cross-chain messages to simulate legitimate transfers. In some cases, they disrupted parts of the verification infrastructure to force the system to rely on compromised components.
Security firms reported that the attackers nearly executed a second withdrawal of additional funds, but the attempt was blocked after the protocol paused affected contracts. Estimates suggest that up to $100 million more could have been at risk if mitigation measures had not been implemented quickly.
Kelp DAO stated that the breach was linked to infrastructure associated with LayerZero rather than a compromise of its own core systems. The incident has led to a dispute between the two parties regarding responsibility, with both pointing to configuration and design factors in the bridge setup.
The attack has been described in reporting as the largest decentralised finance exploit of 2026 by value. Analysts have noted that cross-chain bridges remain a frequent target due to their role in transferring large volumes of assets between blockchain networks.
Investigations into the movement of stolen funds and confirmation of attribution are ongoing. No official statement has been released identifying individual actors involved in the breach.
Site Disclaimer
2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.
The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.