Apr 20
/
Latest News
North Korean Hackers Linked to $290 Million Crypto Heist Targeting Kelp and LayerZero
A massive cryptocurrency theft over the weekend has been attributed to North Korean hackers, marking one of the largest digital heists of the year and sending shockwaves through the industry. Nearly $300 million in assets vanished on Saturday after blockchain security firms detected $290 million flowing out of the crypto platform Kelp. The company quickly confirmed the breach and halted operations while investigators worked to understand what happened.
Early analysis traced the incident to LayerZero, a major cryptocurrency infrastructure developer whose messaging tools allow decentralized applications to communicate and transfer assets. In a detailed post‑mortem published Monday, LayerZero said preliminary indicators point to TraderTraitor, a notorious hacking unit within North Korea’s Lazarus Group, as the likely culprit behind the sophisticated attack.
LayerZero insisted the breach was isolated to Kelp and blamed the incident on the platform’s configuration. The company operates Decentralized Verifier Networks—independent entities that validate messages across blockchains—and said it has repeatedly warned integrators not to rely on a single verifier. Kelp, however, used LayerZero as the sole verifier for rsETH, a token that allows users to deposit Ether and earn yield. According to LayerZero, this single‑point‑of‑failure setup allowed attackers to forge messages without any independent system to catch the manipulation.
Investigators say the hackers breached LayerZero systems and generated large amounts of rsETH without depositing any real Ether, effectively minting counterfeit assets. They then used the fake tokens as collateral across other platforms to borrow genuine Ether and U.S. dollar‑pegged stablecoins. LayerZero said the attackers “manipulated or poisoned” downstream infrastructure and used tactics that evaded monitoring tools. To complete the heist, the group launched a DDoS attack on backup systems that might have stopped the theft, using tools designed to self‑destruct afterward.
Kelp disputed LayerZero’s account in comments to CoinDesk, arguing that the company’s own post‑mortem acknowledges a compromise of LayerZero servers rather than Kelp’s. They also noted that roughly 40% of LayerZero customers use a single‑DVN setup and that the company had never raised concerns about it. LayerZero said it is now contacting all customers who rely on a single verifier and will no longer approve messages from applications configured that way. Law enforcement is involved in the investigation, and LayerZero maintains its systems “functioned exactly as intended.”
Aave, one of the platforms where the attackers used the fraudulent rsETH to secure loans, confirmed the incident and said it is evaluating potential responses. Thousands of users have attempted to withdraw funds, with some reporting difficulty accessing their assets. Neither Kelp, LayerZero, nor Aave responded to requests for comment.
If confirmed, the $290 million theft would be the latest in a string of major crypto robberies linked to North Korea. Just three weeks ago, alleged North Korean hackers stole a similar amount from the Drift platform. U.S. officials and United Nations investigators say Pyongyang has spent more than five years conducting an unprecedented campaign against the global crypto industry, stealing billions to fund its weapons programs. The country is believed to have taken more than $2 billion in 2025 alone and roughly $3 billion between 2017 and 2023.
Early analysis traced the incident to LayerZero, a major cryptocurrency infrastructure developer whose messaging tools allow decentralized applications to communicate and transfer assets. In a detailed post‑mortem published Monday, LayerZero said preliminary indicators point to TraderTraitor, a notorious hacking unit within North Korea’s Lazarus Group, as the likely culprit behind the sophisticated attack.
LayerZero insisted the breach was isolated to Kelp and blamed the incident on the platform’s configuration. The company operates Decentralized Verifier Networks—independent entities that validate messages across blockchains—and said it has repeatedly warned integrators not to rely on a single verifier. Kelp, however, used LayerZero as the sole verifier for rsETH, a token that allows users to deposit Ether and earn yield. According to LayerZero, this single‑point‑of‑failure setup allowed attackers to forge messages without any independent system to catch the manipulation.
Investigators say the hackers breached LayerZero systems and generated large amounts of rsETH without depositing any real Ether, effectively minting counterfeit assets. They then used the fake tokens as collateral across other platforms to borrow genuine Ether and U.S. dollar‑pegged stablecoins. LayerZero said the attackers “manipulated or poisoned” downstream infrastructure and used tactics that evaded monitoring tools. To complete the heist, the group launched a DDoS attack on backup systems that might have stopped the theft, using tools designed to self‑destruct afterward.
Kelp disputed LayerZero’s account in comments to CoinDesk, arguing that the company’s own post‑mortem acknowledges a compromise of LayerZero servers rather than Kelp’s. They also noted that roughly 40% of LayerZero customers use a single‑DVN setup and that the company had never raised concerns about it. LayerZero said it is now contacting all customers who rely on a single verifier and will no longer approve messages from applications configured that way. Law enforcement is involved in the investigation, and LayerZero maintains its systems “functioned exactly as intended.”
Aave, one of the platforms where the attackers used the fraudulent rsETH to secure loans, confirmed the incident and said it is evaluating potential responses. Thousands of users have attempted to withdraw funds, with some reporting difficulty accessing their assets. Neither Kelp, LayerZero, nor Aave responded to requests for comment.
If confirmed, the $290 million theft would be the latest in a string of major crypto robberies linked to North Korea. Just three weeks ago, alleged North Korean hackers stole a similar amount from the Drift platform. U.S. officials and United Nations investigators say Pyongyang has spent more than five years conducting an unprecedented campaign against the global crypto industry, stealing billions to fund its weapons programs. The country is believed to have taken more than $2 billion in 2025 alone and roughly $3 billion between 2017 and 2023.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.