How Lazarus Group Hijacked $290 Million from KelpDAO via RPC Poisoning and DDoS

Core Facts

Loss scale : ~116,500 rsETH (~$2.93 billion).

Fund flow : Stolen tokens sent through mixers such as Tornado Cash.

Timing : Attack occurred before 18 April 2026; KelpDAO announced “suspicious cross‑chain activity” that day.

KelpDAO operates on Ethereum, accepting ETH deposits, restaking them, and issuing liquid rsETH tokens that earn yield across chains via LayerZero’s cross‑chain protocol.

Attack Technique: RPC Node Poisoning + DDoS

Target : The Decentralized Verifier Network (DVN) that validates LayerZero cross‑chain messages for rsETH.

Execution :

Compromised several DVN RPC nodes and injected poisoned blockchain data into the validators.

Simultaneously launched a DDoS attack against healthy RPC nodes, forcing the DVN to rely on the polluted nodes.

The validator accepted a fabricated cross‑chain message that never occurred on‑chain, authorising unauthorized rsETH transfers.

Complexity : The attack leveraged trust in RPC data, representing a supply‑chain style attack that LayerZero described as requiring nation‑state level resources.

KelpDAO responded by pausing the rsETH contract on Ethereum mainnet and all Layer 2s and began a joint investigation with LayerZero and Unichain.

Attribution to Lazarus Group

LayerZero’s analysis (20 April 2026) linked the technical fingerprints to Lazarus Group’s “TraderTraitor” sub‑team. Prior involvement includes the 2025 $280 million Drift Protocol theft, which involved long‑term planning, offline infiltration, and multi‑million‑dollar upfront funding.

Historical association : Lazarus previously linked to large‑scale DeFi thefts.

Current evidence : Attack complexity, high‑value target, and laundering path match Lazarus’s known tactics.

Intelligence assessment : Multiple security firms label the actor as a “highly mature state‑level entity,” with Lazarus as the most probable culprit.

Industry Reaction and Containment

Aave intervention : Frozen rsETH as collateral, disallowing new deposits or loans.

Containment : Breach limited to rsETH, preventing broader DeFi contagion.

Project statement : KelpDAO pledged full cooperation with investigations.

Implications for Cross‑Chain DeFi Security

Cross‑chain verification layers are high‑value attack surfaces; vulnerabilities in DVN/RPC infrastructure can attract nation‑state actors.

Lazarus’s tactics have evolved from simple contract exploits to combined RPC poisoning and DDoS, indicating increased investment in on‑chain intelligence and infrastructure infiltration.

rsETH’s integration with Aave, Compound, and others means a compromised verifier could affect multiple protocols.

References: https://x.com/LayerZero_Core/status/2046081551574983137 ; https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/