LayerZero Publishes KelpDAO Exploit Report, Links $292M Theft to North Korea's TraderTraitor

LayerZero Labs has released a new incident report on the compromise of the KelpDAO rsETH cross-chain bridge built on LayerZero's messaging protocol. The firm said the exploit occurred on April 18, 2026, resulting in the theft of about 116,500 rsETH, valued at roughly $292 million. According to the report, multiple security companies including Mandiant and CrowdStrike, as well as independent researchers, attribute the incident to the North Korea-linked hacking group TraderTraitor (UNC4899). LayerZero said the intrusion traces back to March 6, 2026, when attackers used social engineering to compromise a LayerZero developer account, obtain session keys, and gain access to the RPC cloud environment. They then tampered with internal RPC node data and manipulated responses to mislead monitoring systems and the Decentralized Verification Network (DVN). After that, the attackers launched a denial-of-service attack against external RPC providers, forcing verification to rely on the compromised nodes. This allowed forged cross-chain proofs to be produced and funds to be withdrawn. LayerZero identified the key weakness as affected applications using a "single-verifier" configuration, under which the target contract would release assets upon receiving only one valid signature. In response, LayerZero Labs said it is updating its security posture, including no longer allowing its own DVN to be the sole signing party in single-verification setups, rebuilding the impacted cloud infrastructure, and rolling out short-term credentials, just-in-time privilege escalation, and multi-party approval controls. The company added that zeroShadow and law enforcement are involved in investigating the incident and tracking assets, and said it will continue working with ecosystem partners to harden cross-chain defenses against increasingly sophisticated state-level threats.