North Korean hackers are being blamed for one of the year’s biggest crypto thefts after attackers drained about $290 million from KelpDAO’s rsETH bridge on April 18, intensifying scrutiny of how decentralised finance projects secure assets moving across blockchains. Early technical findings point to the Lazarus Group, particularly the TraderTraitor cluster, while exposing a widening argument over whether the failure lay in application-level security choices, infrastructure dependencies, or both. The attack centred on KelpDAO’s cross-chain bridge, which was used to move rsETH, a liquid restaking token, between networks. Attackers siphoned off roughly 116,500 rsETH, valued at around $290 million to $292 million depending on market pricing at the time, after manipulating the system that verified cross-chain messages. The theft quickly rippled across decentralised finance markets because rsETH was widely used as collateral and as a yield-bearing asset across multiple protocols and chains.
LayerZero, whose interoperability protocol underpinned the bridge, said its core protocol, key management and verifier network were not directly broken. Instead, it said the attackers poisoned a quorum of the remote procedure call, or RPC, infrastructure relied upon by the LayerZero Labs decentralised verifier network, allowing fraudulent messages to appear valid downstream. That distinction matters because LayerZero’s architecture is designed so applications choose their own security settings rather than inherit a single default model.
KelpDAO has pushed back against the suggestion that the problem was mainly its own configuration. The project argues that the practical effect of the setup left the bridge exposed to a single-verifier style dependency and that defaults and implementation assumptions within the broader stack contributed to the loss. That dispute is likely to shape the next phase of the fallout, because the industry is no longer debating only who stole the funds but also who bears responsibility for the conditions that made the theft possible.
At the centre of the technical debate is LayerZero’s decentralised verifier network model. Under that framework, independent verifiers are meant to validate the authenticity and integrity of messages sent across chains. The promise is modular security: projects can select multiple verifiers, define thresholds and build redundancy suited to the value they are protecting. The danger, as the KelpDAO case appears to show, is that flexibility can also leave projects with fragile configurations if resilience is not built deeply enough into the chosen stack and the surrounding infrastructure.
Market damage spread well beyond the initial theft. The exploit stranded wrapped ether across about 20 chains and triggered a rush to reassess exposures tied to rsETH. Major lending and liquidity venues faced pressure as traders pulled funds, repriced collateral and cut risk. Estimates circulating in the market suggested large potential losses for platforms with heavy rsETH exposure, while the wider sell-off revived long-running fears that cross-chain bridges remain one of decentralised finance’s weakest points.
The Lazarus attribution, while still framed as preliminary by some participants, fits a well-established pattern. North Korea-linked operators have repeatedly been tied to some of the largest digital asset thefts on record, including the Ronin bridge attack in 2022 and the $1.5 billion Bybit hack disclosed in February 2025. The FBI identified North Korea as responsible for the Bybit theft and described the activity as TraderTraitor, the same label now invoked in connection with the KelpDAO case.
The broader numbers underline why the industry is treating the KelpDAO breach as more than a one-off exploit. North Korean hackers stole at least $2.02 billion in cryptocurrency during 2025, according to blockchain-tracing research, while total crypto theft across the industry exceeded $3.4 billion that year. Security researchers have also warned that the regime’s methods are becoming more sophisticated, blending technical compromise, deception, infrastructure abuse and social engineering to attack the places where trust is concentrated.
Topics
Cryptocurrency