LayerZero Details KelpDAO Exploit, Tightens DVN and Cloud Security Controls

LayerZero Labs published a post-incident report on the KelpDAO exploit, confirming that KelpDAO's rsETH cross-chain bridge built on LayerZero's messaging protocol was compromised. The attacker made off with about 116,500 rsETH, valued at roughly $292 million. According to the report, multiple security firms—including Mandiant and CrowdStrike—along with independent researchers have linked the incident to TraderTraitor (UNC4899), a North Korea–associated threat group. LayerZero said the intrusion began on March 6, 2026. The attackers used social engineering to compromise a LayerZero developer account, obtained session keys, and accessed the RPC cloud environment. They then tampered with internal RPC node data and manipulated RPC responses, misleading both monitoring systems and the Decentralized Verification Network (DVN). In response, LayerZero said it will update security policies and architecture. Measures include ending configurations where LayerZero's own DVN can serve as the only signing party under a single-verification setup, rebuilding the affected cloud infrastructure, and rolling out short-lived credentials, just-in-time privilege escalation, and multi-party approval controls.