NORTH Korea’s Lazarus APT stole $290M from Kelp DAO by abusing LayerZero, according to Security Affairs. Attackers manipulated LayerZero infrastructure, forcing systems to rely on compromised nodes and then drained funds from the rsETH bridge, with around 116,500 rsETH drained—about $293M in minutes. A second attempted theft worth about $95M was stopped after Kelp paused relevant contracts on Ethereum mainnet and L2s, blacklisted wallets, and engaged SEAL-911.
LayerZero says the breach only affected its rsETH setup and did not spread to other apps, and notes that the attack leveraged a single-point-of-trust flaw in Kelp DAO’s verifier configuration; it recommends a multi-DVN setup to prevent similar incidents. The incident is described as likely attributable to the Lazarus Group, more specifically TraderTraitor, and Kelp DAO has since frozen activity and partnered with ecosystem players to analyse impact and mitigation. The report also highlights that LayerZero’s modular design helped isolate the damage and that Kelp DAO’s 1-of-1 DVN contributed to the vulnerability.