Hackers stole more than $290 million from Kelp DAO over the weekend, targeting a protocol that lets users earn yield on idle crypto. The theft surpassed April’s roughly $285 million Drift hack as the year’s largest crypto heist. By Monday, LayerZero said preliminary indicators pointed to North Korea. It said attackers abused Kelp DAO’s bridge setup and exploited a weak verification model to push fraudulent transactions through a weak verification model. Kelp DAO later blamed LayerZero for the breach.
LayerZero said attackers exploited Kelp DAO through its LayerZero bridge, which allows blockchains to send instructions to each other. From there, the hackers took advantage of Kelp DAO’s own security configuration. Because that setup did not require multiple checks before approval, the system accepted fraudulent transactions and released funds.
At the center of the exploit was Kelp DAO’s 1-of-1 DVN mechanism. In practice, one verifier approved messages, and no backup verifier stood ready. Once attackers sent a fake cross-chain message, no independent review stopped it, and the protocol released the tokens.
LayerZero said it had already advised Kelp DAO to use multiple verifiers and reduce that risk. Kelp DAO did not adopt those recommendations before the exploit.
Read More: Fake Recruiters Linked to North Korea Hit 3,100 IPs in Global Cyber Campaign
LayerZero said preliminary indicators linked the exploit to TraderTraitor, a North Korean hacking group known for targeting crypto platforms. It also pointed to a possible Lazarus Group link. The company said the incident stayed isolated and did not spread to other LayerZero assets or applications.
At the same time, Kelp DAO rejected LayerZero’s account and instead blamed LayerZero for the theft. Still, LayerZero said it removed and replaced the compromised RPC nodes. It added that LayerZero Labs DVN is back online.
The case fits a wider pattern in crypto crime. According to reports, North Korean hackers stole more than $2 billion last year and about $6 billion since 2017. Even so, the fallout extended beyond Kelp DAO, because Aave also faced bad debt and exposure tied to the stolen rsETH tokens.
The Kelp DAO hack became the biggest crypto theft of the year after attackers drained over $290 million through a weak single-verifier setup. LayerZero linked the breach to North Korea’s TraderTraitor group, while the fallout exposed broader DeFi security risks. Protocols must strengthen verification systems to reduce attack paths.