LayerZero links the KelpDAO hack to the Lazarus group | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

The KelpDAO cross-chain bridge was drained of 292 million dollars over a weekend. A surgically precise attack, attributed by LayerZero to the notorious North Korean Lazarus group. However, behind this spectacular hack lies a design flaw that no one wanted to fix.

A craftsman attack signed Lazarus

Last Saturday, attackers withdrew 116,500 rsETH, a liquid restaking token backed by staked ether, from KelpDAO’s cross-chain bridge. 

The stolen amount approaches 292 million dollars. By Monday, LayerZero issued a preliminary analysis naming the North Korean Lazarus group, specifically its TraderTraitor sub-unit, as “likely” responsible.

TraderTraitor is not unknown. The crypto community recognizes this group as the most sophisticated North Korean actor targeting cryptocurrencies. Its track record speaks for itself: it notably compromised the Axie Infinity Ronin bridge and the Indian exchange WazirX.

The General Reconnaissance Bureau of North Korea oversees all these cyber operations and hosts several specialized units, including APT38 and DangerousPassword.

The technique used here was fearsomely elegant. The hackers did not break the bridge. They fooled its guardian. Concretely, they intercepted two of the lines used by the bridge verifier to confirm withdrawals on Unichain, provided a false approval signal, then disabled the other lines, forcing the system to rely solely on the corrupted data.

“The vault was intact. The guardian was honest. The door mechanism worked correctly“, sums up Meir Dolev, CTO of Cyvers. “The lie was whispered directly to the person whose word opened the door.”

A known architectural flaw ignored

This hack primarily reveals a glaring design error. KelpDAO used only one verifier to approve incoming and outgoing transfers on its bridge. LayerZero claims to have “repeatedly urged” the protocol to adopt multiple verifiers. To no avail.

Shalev Keren, co-founder of the security company Sodot, is direct: “It was a single point of failure, no matter how marketing presents it.” One compromised checkpoint was enough to drain the bridge. No audit could have closed this gap without questioning the architecture itself.

Haoze Qiu, blockchain lead at Grvt, goes further and points to shared responsibility: “KelpDAO seems to have accepted a security setup with insufficient redundancy for an asset of this scale“, and LayerZero “also bears some responsibility,” the attack involving infrastructure related to its validator stack.

The consequences were immediate. Massive rsETH withdrawals forced the Aave protocol to freeze its markets linked to this token, causing a liquidity shortage that removed over 10 billion dollars from the protocol. 

The hackers also nearly stole an additional 100 million in three minutes before being stopped by an emergency blacklist. Finally, the malware used automatically erased itself after the operation, deleting files and logs.

This hack is part of a black series: in February 2025, Lazarus stole 1.4 billion dollars from Bybit, the largest crypto hack in history. Earlier this month, 285 million dollars disappeared from the Drift protocol on Solana. DeFi remains a prime target for Pyongyang, and as long as cross-chain bridge security does not become a top priority, these attacks will continue to wreak havoc.

Fenelon L.

Passionné par le Bitcoin, j’aime explorer les méandres de la blockchain et des cryptos et je partage mes découvertes avec la communauté. Mon rêve est de vivre dans un monde où la vie privée et la liberté financière sont garanties pour tous, et je crois fermement que Bitcoin est l’outil qui peut rendre cela possible.

DISCLAIMER

The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.