A massive cryptocurrency heist that drained roughly $290 million from the decentralized finance project KelpDAO on Saturday is likely the work of state-sponsored North Korean hackers, reports suggest.
KelpDAO, a DeFi platform focused on liquid restaking on the Ethereum network, said it detected “suspicious cross-chain activity” involving its rsETH token on April 18. The project quickly paused affected smart contracts across Ethereum and layer-2 networks while launching an investigation alongside interoperability protocol LayerZero and other partners.
“The subject of this highly-sophisticated attack was the poisoning of the downstream RPC infrastructure used by the LayerZero Labs DVN. All affected RPC nodes have been deprecated and replaced, and the LayerZero Labs DVN is now live,” the post-mortem report said.
Blockchain data indicates that approximately 116,500 rsETH tokens (valued at nearly $293 million) were stolen and funneled through the crypto-mixing service Tornado Cash to hide their origin.
The breach had also affected major lending protocols, including Compound, Euler, and Aave. The latter halted activity related to rsETH, blocking new deposits and borrowing tied to the asset.
According to LayerZero, the attackers exploited vulnerabilities in the system’s cross-chain verification layer, known as the Decentralized Verifier Network (DVN). By compromising certain RPC nodes and feeding fake blockchain data and overwhelming legitimate nodes with distributed denial-of-service attacks the hackers were able to trick the system into validating fraudulent transactions. This led to the unauthorized transfer of rsETH tokens based on transactions that never actually occurred on-chain.
“Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor, ” LayerZero said.
The Lazarus Group has been linked to several high-profile crypto thefts in recent years. Previously, the group was linked to a separate $280 million attack on the Drift Protocol, which investigators later described as a meticulously planned operation involving months of preparation and insider-style infiltration tactics.