Lazarus suspected in $293 million KelpDAO hack

Key points:

• KelpDAO lost approximately $293 million in an attack targeting rsETH.
• North Korea’s Lazarus group is suspected behind the hack.
• The incident spilled over to Aave and triggered nearly $8 billion in TVL losses.

On April 18, 2026, liquid restaking protocol KelpDAO suffered a major attack, with roughly $293 million in rsETH tokens drained. The team detected suspicious cross-chain activity and quickly paused the rsETH smart contracts on Ethereum mainnet and several L2 networks to limit the damage and launch an investigation.

Early estimates suggest the attack was carried out by a highly organized group linked to North Korea — specifically Lazarus and its TraderTraitor subgroup. However, the developers stressed that the incident was isolated and related to a specific rsETH configuration, not a vulnerability in the core protocol.

How hackers minted 1 billion DOT tokens out of thin air: the Hyperbridge exploit breakdown

How the attack happened and its consequences

The attack targeted the rsETH contract. The attacker gained control over transaction verification by compromising the RPC infrastructure used in the verification system. This allowed fake transactions to be validated as legitimate. A key factor was the protocol’s 1/1 DVN (single validator) architecture, which created a single point of failure. Using multiple independent validators could have prevented the exploit.

According to Cyvers, around $250 million of the stolen funds have already been converted to ETH, with some assets routed through mixers like Tornado Cash to obscure the trail. Tracking efforts and coordination with law enforcement are ongoing.

The incident quickly spread to other protocols. The hacker used the stolen rsETH as collateral on Aave to borrow liquidity, creating roughly $195 million in bad debt.

In response, users rushed to withdraw funds: Aave’s TVL dropped by about $8 billion — from $26.4 billion down to $18.6 billion. Stablecoin pools became fully utilized, restricting withdrawals. Several protocols, including Aave, Curve, and Ethena, temporarily paused operations involving rsETH or the affected bridge infrastructure.

LayerZero developers stated that the protocol’s core architecture was not compromised. The issue stemmed from incorrect configuration on the integration side.