North Korea-Linked Lazarus Group Executes 90M DeFi Exploit Targeting Kelp DAO Infrastructure

Introduction: A New Era of Sophisticated DeFi Attacks Emerges

The decentralized finance ecosystem has long been promoted as secure, transparent, and resistant to traditional cyber threats. Yet recent events reveal a shifting battlefield where attackers no longer aim directly at blockchain protocols, but instead exploit the fragile infrastructure surrounding them. The latest breach involving Kelp DAO exposes how advanced threat actors are evolving their tactics, leveraging off-chain weaknesses and system design flaws to orchestrate massive financial thefts. This incident not only highlights technical vulnerabilities but also raises urgent questions about security standards across the rapidly expanding DeFi landscape.

the Kelp DAO Exploit and Attack Mechanics

The attack, attributed to the North Korea-linked Lazarus APT group, resulted in the theft of approximately $290 million from Kelp DAO, a decentralized finance protocol operating within the Ethereum ecosystem. Kelp DAO focuses on liquid restaking, allowing users to stake ETH through EigenLayer while maintaining liquidity via rsETH tokens, effectively earning additional rewards without locking assets.

Rather than exploiting the core smart contracts of Kelp DAO, the attackers targeted the verification layer powered by LayerZero infrastructure. LayerZero is responsible for validating cross-chain transactions through a distributed network of RPC nodes and Decentralized Verifier Networks (DVNs). By compromising two RPC nodes, the attackers were able to inject malicious yet seemingly legitimate transaction data into the system.

To further strengthen their control, the attackers launched a Distributed Denial-of-Service (DDoS) attack against the remaining healthy nodes. This forced the system into relying on the compromised nodes, effectively allowing fraudulent transactions to pass verification. Through this method, funds were drained from the protocol without triggering immediate detection mechanisms.

Kelp DAO responded quickly upon detecting anomalies. The platform paused all relevant smart contracts across Ethereum mainnet and Layer 2 networks, blacklisted attacker-associated wallets, and coordinated with security responders. A second attempted exploit involving approximately $95 million in rsETH was successfully prevented due to these emergency measures.

LayerZero clarified that its protocol and core infrastructure were not directly compromised. Instead, the attackers exploited weaknesses in downstream RPC infrastructure and configuration choices made by Kelp DAO. Specifically, Kelp DAO had implemented a “1-of-1” verifier configuration, meaning only one DVN was required to validate transactions. This created a critical single point of failure, enabling attackers to bypass safeguards once that verifier path was compromised.

Industry best practices recommend multi-verifier (multi-DVN) configurations to ensure redundancy and prevent unilateral validation failures. Despite prior recommendations, Kelp DAO maintained its single-verifier setup, which ultimately enabled the exploit. Following the attack, compromised nodes were replaced, and stronger configurations are now being enforced.

The impact extended beyond Kelp DAO, sending shockwaves across the DeFi ecosystem. Platforms like Aave experienced significant valuation drops, reportedly nearing $8 billion in losses tied to market reactions and exposure concerns. Collaborative mitigation efforts involving ecosystem partners, including Arbitrum’s Security Council, helped contain further damage by freezing assets and coordinating response strategies.

What Undercode Say: Deep Analysis of the Structural Weakness Behind the Breach

The Kelp DAO incident represents more than just another large-scale crypto theft, it exposes a structural blind spot in how decentralized systems are designed and secured. While the industry often emphasizes smart contract audits and on-chain security, this attack proves that off-chain components are now the primary battlefield.

The attackers did not break Ethereum. They did not exploit EigenLayer. Instead, they targeted trust assumptions embedded in verification infrastructure. This distinction is critical. It signals a shift from code exploitation to system manipulation, where attackers exploit how different components interact rather than the components themselves.

The use of RPC spoofing combined with DDoS pressure reveals a highly coordinated and state-level capability. Compromising two independent nodes running on separate clusters suggests prior reconnaissance and possibly insider-level knowledge of infrastructure layouts. This is not opportunistic hacking, it is engineered infiltration.

More concerning is the decision to operate under a 1-of-1 DVN configuration. In distributed systems, redundancy is not optional, it is foundational. By relying on a single verifier, Kelp DAO effectively centralized trust in a system meant to be decentralized. This contradiction undermines the entire security model of DeFi.

The argument from Kelp DAO that it followed default configurations raises another issue: responsibility in decentralized ecosystems. Protocols cannot rely solely on defaults when handling billions in user funds. Security must be proactive, not reactive. Following recommendations is not enough if they are not enforced or validated through risk assessments.

LayerZero’s modular design did succeed in one critical aspect, containment. The breach did not cascade into other applications using the same infrastructure. This demonstrates that modularity, when properly implemented, can act as a firewall within decentralized ecosystems. However, modularity alone cannot compensate for weak configurations at the integration level.

The involvement of Lazarus Group reinforces the geopolitical dimension of crypto security. These attacks are not just financial crimes, they are strategic operations. Funds extracted from DeFi protocols may be used to bypass international sanctions, fund state activities, or destabilize financial systems. This elevates DeFi security from a technical issue to a global security concern.

Another overlooked aspect is the psychological impact on the market. The rapid valuation drop in platforms like Aave illustrates how interconnected DeFi protocols are. Trust erosion spreads faster than technical damage, amplifying the consequences of a single breach across the entire ecosystem.

Moving forward, the industry must rethink its security priorities. Multi-verifier systems should become mandatory, not optional. Infrastructure transparency should be increased, allowing protocols to verify the integrity of the systems they depend on. Continuous monitoring of off-chain components must be treated with the same urgency as smart contract auditing.

Ultimately, this attack underscores a simple but often ignored truth: decentralization is not achieved through branding, it is achieved through architecture. Without redundancy, diversity, and layered verification, systems remain vulnerable, regardless of how advanced their underlying technology appears.

Fact Checker Results

✅ The attack targeted LayerZero’s RPC infrastructure, not Kelp DAO’s core smart contracts
✅ The $290M theft and prevented $95M secondary attack are consistent with reported figures
❌ Claims that LayerZero itself was fully compromised are misleading; the protocol remained intact

Prediction

📊 Advanced state-sponsored attacks on DeFi infrastructure will increase significantly over the next 12–24 months
📊 Multi-verifier and redundant security models will become mandatory standards across major protocols
📊 Investor trust will temporarily decline, but stronger security frameworks will drive long-term institutional adoption

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI