KelpDAO's cross-chain bridge was drained of $292 million in one weekend. An attack of surgical precision, attributed by LayerZero to the formidable Lazarus group from North Korea. However, behind this spectacular hack lies a design flaw that no one wanted to fix.
In brief
- Hackers stole approximately $292 million from KelpDAO's cross-chain bridge on Saturday, April 19, 2025.
- LayerZero, which powered the bridge, attributes the attack to the North Korean Lazarus Group, and more specifically its TraderTraitor subunit.
- The bridge itself was not compromised: it was the verification channel, based on a single control point, that was manipulated.
A goldsmith's attack by Lazarus
Last Saturday, attackers withdrew 116,500 rsETH, a liquid restaking token backed by staked ether, from KelpDAO's cross-chain bridge.
The amount stolen is around $292 million. As of Monday, LayerZero published a preliminary analysis designating the North Korean group Lazarus, and more precisely its subunit TraderTraitor, as “likely” responsible.
TraderTraitor is not unknown. The crypto community recognizes this group as the most sophisticated North Korean actor in targeting cryptocurrencies. His track record speaks for itself: he notably compromised Axie Infinity's Ronin bridge and the Indian exchange WazirX.
North Korea's General Reconnaissance Office oversees all of these cyber operations, and is home to several specialized units, including APT38 and DangerousPassword.
The technique used here was fearsomely elegant. The pirates did not break the bridge. They deceived his guardian. Specifically, they intercepted two of the lines used by the bridge verifier to confirm withdrawals on Unichain, provided them with a false approval signal, and then disabled the other lines, forcing the system to rely only on the corrupted data.
“ The trunk was intact. The guard was honest. The door mechanism was working properly », summarizes Meir Dolev, technical director of Cyvers. “ The lie was whispered directly to the person whose word opened the door. »
An architectural flaw announced, ignored
Above all, this hack reveals a blatant design error. KelpDAO used only one reviewer to approve transfers in and out of its bridge. LayerZero claims to have “repeatedly urged” the protocol to adopt multiple verifiers. In vain.
Shalev Keren, co-founder of security company Sodot, is blunt: “ This was a single point of failure, no matter how the marketing presents it. » A single compromised checkpoint was enough to empty the bridge. No audit could have closed this gap without calling into question the architecture itself.
Haoze Qiu, blockchain manager at Grvt, goes further and points to a shared responsibility: “ KelpDAO appears to have accepted a security configuration with insufficient redundancy for an asset of this scale ”, and LayerZero “also bears some responsibility”, the attack having involved infrastructure linked to its validator stack.
The consequences were immediate. Mass withdrawals of rsETH forced the Aave protocol to freeze its markets linked to this token, causing a liquidity shortage that withdrew more than $10 billion from the protocol.
The hackers also almost stole an additional 100 million in three minutes, before being stopped by an emergency blacklist. Finally, the malware used erased itself automatically after the operation, deleting files and logs.
This hack is part of a dark streak: in February 2025, Lazarus stole $1.4 billion from Bybit, the largest crypto hack in history. At the start of the month, $285 million disappeared from the Drift protocol on Solana. DeFi remains a prime target for Pyongyang, and until the security of cross-chain bridges becomes a top priority, these attacks will continue to wreak havoc.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
