Lazarus in North Korea…RPC Node Hacking
Off-chain Attacks Not Contract Fault
Avitrum, 30,000 ETH Freeze Action
Single Verification Network Limits, Crosschain Emergency
On April 18, the Lazarus Group, a North Korean state-linked hacking organization, attacked the LayerZero bridge of the Depi (DeFi) protocol Kelp DAO and stole 116,500 rsETH, $292 million worth of virtual assets, which was the largest hacking in the DeFi sector this year, and about 18% of the rsETH distribution was leaked at once.
The incident is not a traditional smart contract hacking, but a new method aimed at cross-chain bridge’s “off-chain infrastructure,” which is shocking the virtual asset DeFi ecosystem.
According to blockchain data analysis company Chainalysis on the 23rd (local time), hackers attacked Kelpdao’s LayerZero bridge adapter on the 18th and stole large amounts of funds. What stands out is that the hack was not aimed at vulnerabilities in commonly known smart contracts such as reentry bugs or price oracle manipulation.
According to Chainalysis, hackers persistently dug into the single point of failure of the off-chain verification infrastructure operated by LayerZero Labs for Kelp DAO.
At the time, Kelp DAO’s rsETH was set to allow cross-chain messages to pass only one layer-zero Labs Distributed Verification Network (DVN).
The attacker targeted the remote procedure call (RPC) nodes referenced by this DVN. They paralyzed communication by launching a distributed denial of service (DDoS) attack on an external RPC node operated by a third party, and then infiltrated two internal RPC nodes hosted directly by Layer Zero to modulate the software.
DVN, which was disconnected from external nodes, only received data from internal nodes controlled by hackers, and hackers injected fake data as if rsETH was “incineration” in the source chain (unichain).
As a result, Bridge Contract on Ethereum normally transmitted Rs 116,500 ETH to the hacker’s address based on the incinerated data that was not forgotten. The nodes used in the attack also showed the precision of being designed to self-destruct by deleting both malicious binaries and logs immediately after the crime.
![The screen of the official website of KelpDAO, which boasts a deposit (TVL) worth $1.65 billion (about 2.2 trillion won). Although it has grown rapidly thanks to the recent Ethereum liquidity re-deposit craze, the off-chain infrastructure vulnerability attack has dealt a big blow to the project's reliability. [Source=KelpDAO]](https://i0.wp.com/nationalcybersecurity.com/wp-content/uploads/2026/04/news-p.v1.20260424.5927a47e0ea64906a57ef25d16347fa4_P1.png?w=1150&ssl=1)
Existing on-chain security solutions have not detected this attack at all. This is because all transactions, including signatures, message formats, and contract calls, were perfectly ‘normal’ on the surface.
“This is not a problem of individual transactions, but a problem of system-state,” Chanealys said, pointing out the absence of a “cross-chain immutability monitoring” that monitors the mathematical match of money movement between the source chain and the destination chain in real time.
If Channelis had a system to monitor cross-chain invariance in real-time, it could have immediately figured out that there was no incineration record matching the source chain immediately after the first release of funds.
Fortunately, additional damage was prevented during the misfortune. Sensing the anomaly, Kelp DAO immediately suspended the Ethereum and L2 distribution contracts and blacklisted the hacker’s address in cooperation with SEAL-911. Thanks to this measure, the hacker’s second “ghost packet” attack, which attempted to take out an additional $95 million (40,000 rsETH), was canceled.
On the 20th, two days after the incident, the Arbitrum Security Committee successfully froze about 30,766 ETH of the funds that hackers diverted to the Arbitrum One network through cooperation with law enforcement authorities. The funds have now been transferred to an intermediate wallet that does not affect other general users or chains, effectively blocking hackers’ access.
The Kelpdao crisis calls for a new paradigm of DeFi security. In the operation of cross-chain protocols such as bridges, ▲Design of multi-quorum that does not depend on a single node ▲Introduction of multi-layer-based constant monitoring ▲Securing a strong and reliable contract pause mechanism is essential.
Click Here For The Original Source.
