LayerZero Points to Lazarus Group After $292 Million rsETH Exploit Hits Kelp DAO

• Kelp DAO lost 116,500 rsETH worth about $292 million on April 18, making it the biggest DeFi exploit of the year so far.
• LayerZero said early indicators point to a highly sophisticated state actor, likely North Korea’s Lazarus Group, specifically the TraderTraitor cluster.

Kelp DAO has been hit by what is now the year’s largest DeFi exploit, and LayerZero says the early signs point to a familiar, and deeply uncomfortable, culprit.

On April 18, the LayerZero-powered cross-chain bridge tied to Kelp DAO lost 116,500 rsETH, worth roughly $292 million. In its latest statement, LayerZero said preliminary indicators suggest the attacker was a “highly sophisticated state actor,” likely North Korea’s Lazarus Group, and more specifically the TraderTraitor cluster.

LayerZero says the breach began with access to RPC node data

The company’s explanation centers on the bridge’s message verification layer. According to LayerZero, the attacker obtained access to the list of RPC nodes used by LayerZero Labs’ decentralized verified network, or DVN. Those nodes are operated by independent entities and are responsible for verifying cross-chain messages.

That matters because once an attacker gains insight into or leverage over the verification path, the whole premise of trusted cross-chain communication starts to weaken. In bridge exploits, that is usually where losses escalate fast. The smart contract itself may not be the only problem. The messaging layer becomes the target.

LayerZero has not yet laid out every operational detail, but the implication is clear enough. This was not a casual exploit or an opportunistic drain. It appears to have involved planning, infrastructure knowledge and the kind of tradecraft that security teams increasingly associate with state-backed operators.

Another major DeFi exploit revives bridge security fears

The Lazarus attribution, even if still preliminary, gives the incident broader weight. North Korean-linked groups have already been tied to some of the largest crypto thefts in the market’s history, and bridge infrastructure remains one of their preferred pressure points because it concentrates liquidity and trust assumptions in one place.

For DeFi, the Kelp DAO loss is another reminder that cross-chain systems still carry some of the sector’s highest technical and operational risks. Scale helps them grow quickly. It also means that when something fails, the damage is rarely contained.

This time, the number is $292 million, and the message from LayerZero is that the attacker may have been exactly the kind of adversary the industry fears most.