Lazarus-Linked KelpDAO Bridge Hack Drains $290M and Wipes $13B From DeFi

A $290 million exploit against KelpDAO’s LayerZero-based bridge has been linked to North Korea’s Lazarus Group, and the knock-on effect reportedly ripped more than $13 billion out of DeFi in just two days.

• $290 million drained from KelpDAO’s bridge in one hit
• LayerZero blames Lazarus Group, likely the TraderTraitor unit
• More than $13 billion erased from DeFi TVL in 48 hours
• Aave saw over $10 billion leave as users rushed for the exits
• The blame war is messy: LayerZero says KelpDAO misconfigured the setup; KelpDAO says it used LayerZero defaults

The exploit drained 116,500 rsETH, worth roughly $290 million, from KelpDAO’s cross-chain bridge. By current reporting, it stands as 2026’s largest DeFi exploit so far. For a sector that keeps promising trustless finance and global settlement rails, it’s a brutal reminder that bridges can still be the weakest, flakiest, most overhyped part of the stack.

KelpDAO sits in the restaking and liquid staking corner of DeFi, while LayerZero provides cross-chain messaging infrastructure — the plumbing that helps different blockchains talk to each other. In plain English: if the base layer is the road, bridges are the toll booths and traffic controllers. If those controls are garbage, the whole highway becomes a thief’s playground.

How the exploit reportedly worked

LayerZero said preliminary indicators point to “a highly sophisticated state actor, likely DPRK’s Lazarus Group,” specifically its TraderTraitor subunit. That name should ring a few alarm bells by now. North Korea-linked cyber crews have spent years turning crypto into a sanctions-busting cash machine, because digital assets can be stolen fast, moved faster, and laundered through enough chains to make compliance teams feel like they’re chasing smoke with a broom.

The attack path, according to the reporting on the KelpDAO hack, was ugly and deliberate. The attacker allegedly compromised two RPC nodes, flooded backup nodes with junk traffic, forced failover to poisoned endpoints, and then tricked the verifier into signing a fabricated transaction.

For non-technical readers:

• RPC nodes are the servers that help systems talk to blockchains.
• Failover means switching to backup systems when the main ones are overloaded or broken.
• Verifier is the part of the bridge that checks whether a cross-chain message or transaction should be accepted.

So the attacker didn’t just smash the front door. They allegedly jammed the backup cameras, nudged the system onto the wrong path, and then got it to approve a fake transaction as if everything was normal. That’s not “decentralized finance” in any meaningful sense. That’s a very expensive failure of operational discipline.

The malware reportedly used in the operation also self-destructed, wiping binaries and logs. That makes attribution harder and slows recovery work, which is exactly what a serious state-backed actor would want. The whole thing has the stink of a professional operation, not some basement-level script kiddie with a caffeine problem.

The fallout hit far beyond KelpDAO

The direct loss was huge, but the secondary damage was even more telling. Aave reportedly saw more than $10 billion in outflows as users scrambled to de-risk. Its total value locked fell from $45.8 billion to $35.7 billion. Across DeFi, more than $13 billion in total value locked reportedly vanished in 48 hours.

That matters because TVL, or total value locked, is one of DeFi’s favorite vanity metrics — but it still tracks real capital sitting inside protocols. When TVL drops hard, it usually means users are pulling funds, cutting exposure, or rotating into safer assets. In other words, confidence cracked, and the market immediately started behaving like confidence had cracked.

This is why bridge hacks are so toxic. The loss is not only the stolen funds. It’s the panic that follows. Once users start wondering which protocol is next, liquidity pulls out faster than a venture capitalist at a failed token launch.

Jefferies warned that hacks on this scale could “temporarily slow Wall Street’s appetite for tokenization projects.” That’s not exactly shocking. Institutions love the promise of tokenized assets, faster settlement, and 24/7 markets — but they also hate waking up to the possibility that a bridge, verifier, or “decentralized network” is really just one brittle default away from becoming a disaster zone.

LayerZero and KelpDAO are fighting over the blame

The most interesting part of this mess may be the blame game. LayerZero says KelpDAO ran a “1-of-1 decentralized verifier network” configuration, which it had repeatedly warned against. LayerZero has now said it will “no longer sign messages for any application using that setup.”

KelpDAO pushed back, saying its configuration followed “LayerZero’s own documented defaults.” It also argued that the compromised validator was part of LayerZero’s own infrastructure. That’s a pretty nasty accusation, and it highlights a familiar crypto problem: documentation, defaults, and real-world deployments often do not line up cleanly. When they don’t, the person holding the bag is usually the one who thought they were using the “standard” setup.

Independent researchers, including a Yearn Finance developer, reportedly found that LayerZero’s public deployment code ships with single-source verification defaults across major chains. If that holds up, it raises a bigger question than who gets the blame for this specific exploit: why are “default” deployments in critical financial infrastructure still this fragile?

LayerZero says there was “zero contagion” to applications using multi-verifier configurations, and it is now forcing a protocol-wide migration away from single-validator setups. That’s good. But let’s be honest: if your system only becomes meaningfully safe after you urgently move everyone off the default, the default was never fit for serious money in the first place.

LayerZero: “preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group.”

LayerZero: KelpDAO “had chosen to operate a 1-of-1 decentralized verifier network configuration, a single point of failure it had repeatedly warned against.”

KelpDAO: its configuration followed “LayerZero’s own documented defaults.”

LayerZero: it would “no longer sign messages for any application using that setup.”

LayerZero: it has confirmed “zero contagion to other applications running multi-verifier configurations.”

Why Lazarus keeps showing up in crypto crime

If the attribution proves correct, this fits a familiar and depressing pattern. North Korea-linked groups have repeatedly targeted crypto because it offers fast-moving, borderless value that can be monetized outside traditional banking rails. Stolen funds can be routed through bridges, converted into stablecoins, moved across chains like Arbitrum and Tron, and laundered through a maze of swaps and wallets before anyone can freeze anything meaningful.

According to reporting, the attacker has already started laundering funds through Arbitrum and Tron-based stablecoins, including Tron-based USDT. That’s standard thief behavior in 2026, which is exactly the problem. Crypto enables legitimate users to move capital quickly and privately, but the same tools become brutally efficient when infrastructure is weak and security assumptions are sloppy.

Tron keeps showing up in these laundering flows for one simple reason: it’s cheap, fast, and widely used for stablecoin movement. Not glamorous, not elegant, just practical for people trying to disappear money at scale. The dark side of “financial efficiency” is that criminals love efficiency too. Shocking, right?

What this means for DeFi security

This is not just a KelpDAO problem. It is a bridge security problem, a deployment problem, and a reminder that “decentralized” is often a branding term unless the underlying architecture actually removes single points of failure.

Cross-chain bridges have always been one of crypto’s weakest links because they concentrate large amounts of value behind complicated trust assumptions. When those assumptions are hidden inside defaults, docs, or poorly understood configuration choices, users are left trusting systems they don’t fully see. That’s fine when we’re talking about test networks and hobby money. It’s a disgrace when billions are at stake.

There’s also a broader institutional angle here. Wall Street is warming to tokenization and onchain settlement because the upside is obvious: faster issuance, better liquidity, lower friction, and 24/7 infrastructure. But every giant exploit gives the skeptics fresh ammunition. And frankly, they’re not wrong to ask whether some of this infrastructure is mature enough for serious balance sheets yet.

The uncomfortable truth is that crypto keeps trying to scale trust minimization through systems that still rely on opaque assumptions, brittle defaults, and a lot of “we thought the other guy handled that.” That’s not a bug you can shrug off forever. It’s the bill coming due.

What happens next

LayerZero says it is working with KelpDAO, the Security Alliance, and law enforcement to trace the stolen funds. That’s the right move, though recovery in cases like this is never clean. Once stolen assets start hopping across chains and into stablecoins, the trail gets noisy fast and the thieves know exactly how much time they have before the walls start closing in.

There’s also the practical question of whether users will trust bridge-heavy protocols the same way again. Probably not, at least not in the short term. One major exploit can send liquidity running, and this one did more than that — it reminded everyone that a lot of “decentralized” infrastructure still depends on implementation details that few users ever read and even fewer fully understand.

The lesson is blunt: bridge design matters, defaults matter, and operational security matters even more. If a protocol is serious about being infrastructure, it needs to behave like infrastructure, not like a demo with billions in collateral and a prayer for a config file.

Key questions and takeaways

What happened?
KelpDAO’s LayerZero-based bridge was exploited, and about 116,500 rsETH worth roughly $290 million was drained.

Who is being blamed?
LayerZero says preliminary indicators point to North Korea’s Lazarus Group, likely the TraderTraitor subunit.

How was the exploit carried out?
The attacker allegedly compromised RPC nodes, manipulated failover behavior, and tricked a verifier into signing a fabricated transaction.

How bad was the market impact?
More than $13 billion reportedly left DeFi total value locked in 48 hours, including over $10 billion in Aave outflows.

Who is responsible for the vulnerability?
That remains disputed. LayerZero says KelpDAO used a dangerous 1-of-1 setup, while KelpDAO says it followed LayerZero’s documented defaults.

Why does this matter for DeFi security?
Because it shows how fragile cross-chain bridge infrastructure can still be when defaults, verifier setup, and operational security are weak.

Does this threaten institutional tokenization efforts?
Potentially, yes. Jefferies warned that hacks of this scale could temporarily slow Wall Street’s appetite for tokenization projects.

Can the stolen funds be recovered?
Recovery is difficult, especially when attackers use cross-chain laundering routes and stablecoins to obscure the trail.

DeFi was supposed to replace trust in institutions with trust in code. That only works if the code, the defaults, and the people deploying it are actually worth trusting. Otherwise, all you’ve built is a faster way to lose money.