LayerZero: Lazarus Group "likely" behind $292M KelpDAO bridge exploit

LayerZero said in a preliminary report that the weekend exploit of the KelpDAO cross-chain bridge, which resulted in losses of about $292 million, was "likely" carried out by North Korea's Lazarus Group, specifically its TraderTraitor unit. The assessment drew on Monday analysis including work by Paradigm researcher Samczsun. Attackers drained 116,500 rsETH, a liquid staking token backed by staked ether, from the bridge on Saturday. The incident triggered a broad wave of withdrawals across platforms, with decentralized finance seeing more than $10 billion in loan-protocol funds exit Avail. LayerZero said the operation showed hallmarks of a "highly sophisticated state actor" and pointed to Lazarus's TraderTraitor subgroup. Reports have described North Korea's cyber operations as overseen by the Reconnaissance General Bureau, which is said to manage teams including TraderTraitor, AppleJeus, APT38 and DangerousPassword. TraderTraitor is widely viewed as the most advanced North Korea-linked crypto-focused unit and has previously been tied to incidents involving the Axie Infinity Ronin Bridge and WazirX. In its report, LayerZero said KelpDAO relied on a single validator to approve inbound and outbound bridge transfers, adding it had repeatedly urged the project to move to a multi-validator setup. LayerZero said it will no longer approve applications that continue to run a single-validator configuration. Security observers described the architecture as a single point of failure. Shalev Kren, co-founder of cybersecurity firm Sodot, said a single compromised checkpoint is enough to enable illicit withdrawals, and that audits or reviews cannot resolve the underlying risk without "eliminating unilateral trust from the architecture itself." Haoze Qiu, head of the Grvt blockchain, said KelpDAO appeared to accept insufficient redundancy for assets of that scale and argued LayerZero "bears responsibility" because the breach involved infrastructure related to its validator stack, even if it was not framed as a core protocol vulnerability. Blockchain security firm Cyvers said the attacker stole an additional $100 million in roughly three minutes before being quickly blacklisted. Cyvers CTO Mel Dolev said the attack began by deceiving a single communications channel: the attacker compromised two verification routes used to confirm whether withdrawals had occurred on Unichain, fed them false "yes" responses, then took other pathways offline so the validator was forced to rely on the compromised checks. Dolev likened the incident to a situation where "the vault is fine" and "the door lock mechanism is working normally," but the person authorizing access was quietly lied to. LayerZero attributed the exploit to Lazarus, while Cyvers said it did not reach the same conclusion in its own analysis. Dolev said some patterns aligned with the Democratic People's Republic of Korea in complexity, scale and coordinated execution, but no associated wallets have been confirmed. He added the malicious node software was designed to delete itself after the exploit, removing binaries and logs to obscure traces in real time and after the fact. Earlier this month, attackers drained about $285 million from Drift, a Solana-based perpetuals protocol, and subsequent reporting attributed that incident to North Korean agents. Dolev said the Drift exploit differed materially in preparation and execution, though both required extensive planning, expertise and resources. Separately, reporting said investigators suspect stolen funds were routed to a specific Ethereum address. On-chain investigator ZachXBT identified the primary attack address, flagged it alongside four other attacker-linked addresses, and said the funding for those addresses came from coin mixers. According to ZachXBT, Tornado Cash is currently seeing heavy demand.