LayerZero Releases KelpDAO Attack Report: North Korean Hacker Group Allegedly Involved, Security Strategy to Be Adjusted

Odaily reports that LayerZero Labs has released the latest incident report stating that on April 18, 2026, the KelpDAO rsETH cross-chain bridge, built on its cross-chain communication protocol, was attacked, resulting in the theft of approximately 116,500 rsETH (around $292 million). Multiple security agencies, including Mandiant, CrowdStrike, and independent researchers, have attributed this attack to the North Korean-linked hacker group TraderTraitor (UNC4899).

The report indicates that the attack began on March 6, 2026. The attacker breached a LayerZero developer account through social engineering, stole session keys, infiltrated the RPC cloud environment, further compromised internal RPC node data, and manipulated the returned results to deceive monitoring systems and the Decentralized Verifier Network (DVN). Subsequently, the attacker launched a denial-of-service attack against external RPC providers, forcing the verification system to rely on the compromised nodes to generate forged cross-chain proofs, thereby successfully extracting the funds.

LayerZero pointed out that the core vulnerability in this incident lies in the affected application adopting a "single-verifier" configuration. This caused the target contract to execute asset release upon receiving only a single valid signature, leading to the theft of rsETH.

Following the incident, LayerZero Labs announced adjustments to its security strategy. This includes no longer allowing its own DVN to act as the sole signing party in a single-verifier configuration, rebuilding the affected cloud infrastructure, and introducing short-term credentials, instant permission upgrades, and multi-party approval mechanisms to strengthen security. Additionally, zeroShadow and law enforcement agencies have intervened in the investigation and asset tracking. LayerZero stated that it will continue to collaborate with ecosystem partners to enhance the cross-chain security framework in response to increasingly sophisticated nation-state-level attack threats.