Major Crypto Heist: Understanding the $290 Million LayerZero Attack by North Korean Hackers

The Shocking Discovery That Rocked the DeFi World

The cryptocurrency world was dealt a serious blow in April 2025 when LayerZero, a protocol that helps different blockchains communicate with each other, revealed that North Korean hackers had stolen a staggering $290 million from Kelp DAO. This wasn’t just another crypto hack—it was a wake-up call that showed how vulnerable even the most sophisticated financial systems can be when nation-state hackers set their sights on them. The announcement came through LayerZero’s social media on April 10th, and it immediately sent shockwaves through the decentralized finance community. What made this attack particularly alarming was that the hackers, identified as the infamous Lazarus Group, didn’t exploit a simple bug in the code. Instead, they orchestrated a highly sophisticated attack on the underlying infrastructure that keeps these cross-chain systems running. This incident has forced everyone in the crypto space to take a hard look at how we protect the bridges that connect different blockchain networks, and whether we’ve been leaving the back door unlocked while focusing too much on fortifying the front entrance.

How the Hackers Pulled Off This Digital Heist

Understanding how this attack actually worked requires looking at the clever, multi-step approach the Lazarus Group used. Think of LayerZero as a translator that helps different blockchains speak to each other. To make sure these translations are accurate and trustworthy, LayerZero uses something called a Decentralized Verification Network, or DVN for short. This network relies on nodes—essentially specialized computers—that run something called Remote Procedure Call (RPC) software to verify that transactions are legitimate. The hackers’ strategy was brilliant in its execution. First, they quietly broke into two of these independent RPC nodes. Once inside, they didn’t just steal information—they replaced the legitimate software running on these nodes with their own malicious versions. These corrupted programs looked normal from the outside but were designed to intercept and manipulate the transaction data flowing through them. But the hackers faced a problem: there were still other legitimate nodes operating normally that could potentially catch their fraud. Their solution? Launch a massive distributed denial-of-service attack—essentially flooding these honest nodes with so much junk traffic that they couldn’t function properly. With the legitimate nodes overwhelmed and knocked offline, the entire system had no choice but to rely on the compromised nodes. At that point, the hackers had the keys to the kingdom, authorizing fraudulent transactions that drained Kelp DAO’s liquid staking tokens right out of the system.

The Devastating Financial Impact and What Went Wrong

The consequences of this infrastructure breach were immediate and brutal for Kelp DAO. Approximately $290 million worth of rsETH—that’s Kelp’s liquid staking token representing staked Ethereum from various protocols—vanished from the DAO’s contracts in what felt like the blink of an eye. The sudden theft created panic in the markets, triggering waves of sell-offs on decentralized exchanges and causing wild price swings that affected not just rsETH but rippled through related tokens as well. When LayerZero’s security team conducted their post-mortem analysis, they discovered a crucial mistake in how Kelp DAO had configured their security settings. LayerZero had actually recommended that Kelp DAO use multiple validators—a setup that would require several independent verification networks to all agree before approving transactions. This redundancy creates a safety net where even if one validator is compromised, the others can catch the fraud. Unfortunately, Kelp DAO had chosen to operate with just a single validator for their rsETH operations, presumably to save on costs or simplify their setup. This decision created what security experts call a “single point of failure”—one weak link that, when broken, brought down the entire security system. LayerZero was quick to emphasize that this vulnerability was specific to how Kelp DAO had configured their particular application, and that no other projects using the LayerZero network were affected by this attack, but the damage to confidence in cross-chain security was already done.

The Lazarus Group: North Korea’s Elite Cyber Army

The Lazarus Group isn’t your typical band of cybercriminals looking for a quick payday. This is a state-sponsored hacking operation, also known by the designation APT38, that operates as an arm of North Korea’s government, specifically linked to its intelligence services. Cybersecurity firms like Chainalysis and Mandiant have been tracking this group for years, documenting how they’ve become one of the primary methods North Korea uses to generate foreign currency and fund its weapons programs while evading international sanctions. What makes Lazarus particularly dangerous is how quickly they adapt and evolve their tactics. In the early days, they relied on relatively simple phishing attacks—tricking individuals into revealing passwords or private keys. But their sophistication has grown dramatically. The 2022 Ronin Bridge hack, which netted over $600 million, showed their ability to compromise validator private keys through social engineering and network infiltration. The 2023 Atomic Wallet attack demonstrated their capability to conduct supply chain compromises, inserting malicious code into software before it even reached users. This latest LayerZero attack represents yet another evolution in their playbook. Instead of targeting the application layer where most security focus has been placed, they went deeper into the infrastructure stack, targeting the RPC nodes that feed data to the blockchain systems. This shows an increasingly sophisticated understanding of blockchain architecture and suggests that future attacks may continue to probe these foundational layers that have received less security scrutiny than the smart contract code sitting on top of them.

The Broader Crisis Facing Cross-Chain Bridges

This attack has reignited urgent conversations about the fundamental security challenges facing cross-chain bridges—the protocols that allow assets to move between different blockchain networks. These bridges work by locking up your assets on one blockchain and then minting a representative token on another blockchain that you can use there. The problem is that these bridges have become massive honeypots, custodying billions of dollars worth of cryptocurrency and becoming irresistible targets for sophisticated hackers. When you look at the history of major bridge hacks, a disturbing pattern emerges. The Ronin Bridge lost $625 million in 2022 when attackers compromised the private keys of validators who were supposed to be independent but turned out to have insufficient security separation. Wormhole lost $326 million the same year due to a flaw in how they verified signatures, allowing attackers to mint tokens without properly locking up the corresponding assets. Nomad Bridge lost $190 million through a bug that allowed malicious actors to reuse transaction approvals over and over. And now, the LayerZero/Kelp DAO incident has added $290 million to this growing list of losses. What’s particularly concerning about this latest attack is that it moved the battlefield entirely. Previous hacks exploited bugs in the immutable smart contract code living on the blockchain itself. But this attack targeted the off-chain infrastructure—the servers, nodes, and traditional computing systems that feed information to those smart contracts. This means the problem exists in mutable, changeable systems that operate in traditional data centers rather than in the transparent, auditable code on the blockchain. The implication is clear: security audits that focus exclusively on smart contract code are no longer sufficient. The entire validation network, including the physical infrastructure, network security, and operational procedures of node operators, must be scrutinized with equal rigor.

What Happens Next: Response, Recovery, and Regulation

LayerZero’s response team didn’t waste time once they detected the unusual activity on their network. The compromised RPC nodes were immediately isolated from the network and replaced with clean systems, and normal service was restored within hours—a testament to their incident response preparation. But restoring service is only the beginning of the response. The much harder work involves trying to recover the stolen funds and prevent this from happening again. LayerZero is now working closely with international law enforcement agencies, specialized blockchain intelligence firms like TRM Labs and Elliptic, and centralized cryptocurrency exchanges to trace the stolen assets as they move through the blockchain. This collaborative approach is essential because the Lazarus Group has proven extremely skilled at laundering stolen cryptocurrency. They typically use a complex series of transactions, running funds through privacy-focused mixing services like Tornado Cash, conducting multiple cross-chain swaps to obscure the trail, and eventually attempting to cash out through exchanges in jurisdictions with weak regulatory oversight. Every previous major hack has taught the industry new lessons about fund tracking and recovery, and authorities are getting better at freezing assets when they eventually touch a regulated exchange, but the Lazarus Group continues to successfully monetize a significant portion of their thefts. Beyond the immediate response, this attack is likely to have significant regulatory implications. Lawmakers in the United States, European Union, and other major jurisdictions have been watching the growing bridge security crisis with increasing concern. This incident will almost certainly accelerate regulatory initiatives to impose mandatory security standards for cross-chain protocols, potentially including requirements for multi-validator setups, regular security audits, insurance reserves, and perhaps even licensing requirements for protocols that custody significant assets. There’s also likely to be increased scrutiny of DAOs and whether their current governance structures allow for sufficient accountability when security decisions lead to massive losses. The days of “code is law” and minimal regulatory oversight for DeFi protocols may be coming to an end as these incidents accumulate and affect more users.

Lessons Learned and the Path Forward for Crypto Security

The $290 million LayerZero hack attributed to the Lazarus Group represents a watershed moment for the DeFi industry. It demolishes the comfortable assumption that threats are primarily confined to smart contract vulnerabilities that can be caught through code audits and bug bounties. Instead, this attack has exposed the reality that the threat surface extends throughout the entire technology stack, from the application layer down through the infrastructure layer to the physical servers and network connections that make blockchain systems function. While LayerZero has maintained that the core protocol itself remains fundamentally sound—and that this was specifically a configuration issue with how Kelp DAO implemented their application—the broader lesson is unmistakable: security is only as strong as its weakest link. Kelp DAO’s decision to operate with a single validator rather than implementing the recommended multi-validator setup created that weak link, and the Lazarus Group found it and exploited it with devastating efficiency. For the broader cryptocurrency and DeFi industry, this incident serves as an urgent reminder that nation-state actors are continuously studying these systems, identifying new attack vectors, and refining their tactics. These aren’t opportunistic hackers taking advantage of obvious mistakes—they’re highly skilled, well-resourced teams conducting careful reconnaissance and executing sophisticated, multi-stage attacks. The ecosystem’s defense mechanisms must evolve even faster to stay ahead of these threats. This means expanding security thinking beyond smart contract audits to include infrastructure security, operational security, social engineering defenses, and Byzantine fault tolerance at every level. It means taking seriously the recommendations from protocol developers about security configurations rather than cutting corners to save costs. And it means the industry must embrace defense-in-depth strategies that assume any single security measure might fail and build in redundancy and resilience. The ongoing investigation and fund-tracking efforts will be closely watched as a test case for whether international cooperation can effectively combat crypto-enabled cybercrime, especially when the perpetrators are state-sponsored actors operating from nations with minimal cooperation with Western law enforcement.