Lazarus-linked attackers drain $290M from KelpDAO via poisoned RPC nodes

KelpDAO, an Ethereum liquid restaking protocol, lost roughly 116,500 rsETH (about $293 million) on April 18 after attackers subverted the cross-chain verification layer used to move the token between chains. LayerZero’s post-incident analysis points to compromised RPC nodes feeding falsified blockchain data to a Decentralized Verifier Network (DVN), while healthy nodes were simultaneously DDoS’d to force reliance on the poisoned ones. The result: a fabricated cross-chain message was accepted as valid, authorizing rsETH movements for transactions that never happened on-chain.

Funds were laundered through Tornado Cash. Knock-on effects hit lending protocols that accepted rsETH as collateral — Compound, Euler, and Aave — with Aave freezing rsETH deposits and borrowing. LayerZero attributes the intrusion to DPRK’s Lazarus Group, specifically the TraderTraitor subcluster, and says the blast radius is contained to rsETH with no wider contagion.

The attack pattern — quorum manipulation by corrupting the data sources a verifier trusts rather than breaking cryptography — exposes a structural weakness in cross-chain bridges: the verifier is only as honest as the RPC endpoints it queries. Combined with the $280M Drift Protocol theft earlier this year, which involved a six-month social-engineering operation, Lazarus is demonstrating patient, infrastructure-level targeting of DeFi rather than smart-contract exploitation.