### Lazarus Group Suspected in KelpDAO Exploit State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the **KelpDAO** DeFi project on Saturday. The attack reportedly also impacted the lending protocols **Compound**, **Euler**, and **Aave**, with the latter freezing and blocking new deposits or borrowing using rsETH as collateral. **KelpDAO** is a decentralized finance (DeFi) project built around liquid restaking on the Ethereum network. It accepts user ETH deposits, restakes them, and returns a liquid token named ‘rsETH,’ that represents the restaked position. The rsETH token is meant to help users keep earning restaking yield, while it stays usable across DeFi, including cross-chain via **LayerZero**, an inter-blockchain communication protocol and interoperability layer. On April 18, **KelpDAO** announced that it detected “suspicious cross-chain activity” involving rsETH, forcing it to pause rsETH contracts across the Ethereum mainnet and L2s. The project launched an investigation with the help of **LayerZero**, **Unichain**, and other partners. Blockchain activity showed that around $293 million in USD value went through **Tornado Cash** to hide the trace. ### Attack Details: Compromised Verification Layer According to additional details that **LayerZero** shared, the attack targeted the verification layer (DVN) used to validate cross-chain messages for rsETH. Specifically, the attackers compromised some RPC nodes used by the verifier, feeding it falsified blockchain data, while simultaneously DDoS-ing healthy RPC nodes to force the system to rely on the “poisoned” ones. This allowed a fake cross-chain message to be accepted as valid. The system confirmed transactions that never actually occurred on-chain and enabled moving the rsETH without authorization. Based on preliminary evaluation of the attack indicators, **LayerZero** believes that the infamous **Lazarus Group** are likely responsible for the heist. “Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s **Lazarus Group**, more specifically TraderTraitor,” they stated. The protocol also noted that the incident was isolated to rsETH and that there’s no broader contagion across other apps or assets. ### Lazarus Group's Expanding Portfolio While the **KelpDAO** breach constitutes a major loss so far this year in terms of the stolen amount, the **Lazarus Group** has also been linked to another large theft, $280 million from the **Drift Protocol**. According to a post-mortem report, that attack was the result of a six-month-long, carefully planned operation that involved malicious agents attending conferences and $1 million deposits into the project.  ## 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)