عاجل
RUПять туристов пропали во время сплава в Магаданской областиVNBác sĩ Việt Đức cứu sống người vỡ thực quản tự phát sau khi uống rượuCN小琉球交通船冒煙火花 遊客驚呼「燒起來了」KR일본 수입차 판매, 엔저 여파로 2년 만에 감소…전기차는 40% 급증RUГлава Федерации футбола Бразилии: Анчелотти останется до 2030 годаESDanilo Pereira analiza el Mundial y el Portugal-España: "España tiene una forma particular de conservar el balón"INHimachal Pradesh Apple Economy Faces Climate Crisis, Production Down 40%KR이스라엘 야당 정치인 부상…네타냐후 19년 집권 위협CN重庆江北国际机场上半年国际旅客吞吐量增长40% 国际中转服务持续优化KR경남도의회 전반기 의장에 박준 당선…민주당 보이콧 속 원구성 난항 예상RUПять туристов пропали во время сплава в Магаданской областиVNBác sĩ Việt Đức cứu sống người vỡ thực quản tự phát sau khi uống rượuCN小琉球交通船冒煙火花 遊客驚呼「燒起來了」KR일본 수입차 판매, 엔저 여파로 2년 만에 감소…전기차는 40% 급증RUГлава Федерации футбола Бразилии: Анчелотти останется до 2030 годаESDanilo Pereira analiza el Mundial y el Portugal-España: "España tiene una forma particular de conservar el balón"INHimachal Pradesh Apple Economy Faces Climate Crisis, Production Down 40%KR이스라엘 야당 정치인 부상…네타냐후 19년 집권 위협CN重庆江北国际机场上半年国际旅客吞吐量增长40% 国际中转服务持续优化KR경남도의회 전반기 의장에 박준 당선…민주당 보이콧 속 원구성 난항 예상
Newsgather
Back$292M KelpDAO Bridge Exploit Linked to North Korea's Lazarus Group
$292M KelpDAO Bridge Exploit Linked to North Korea's Lazarus Group
يتطور
Decrypt20.04.2026Crime2 dk okuma

$292M KelpDAO Bridge Exploit Linked to North Korea's Lazarus Group

Attackers drained 116,500 rsETH using single-verifier vulnerability, nearly stole additional $100M before blacklist activation

نظرة سريعة

  • LayerZero attributed the $292 million KelpDAO bridge exploit to North Korea's Lazarus Group's TraderTraitor subunit.
  • Attackers drained 116,500 rsETH on Saturday by exploiting a single-verifier architecture, nearly stealing an additional $100 million before being stopped.
  • The attack triggered $10 billion in withdrawals from Aave and exposed critical vulnerabilities in cross-chain bridge security.

ملخص مُنشأ بالذكاء الاصطناعي

لماذا يهم

KelpDAO is a liquid restaking protocol. The exploit used a single-verifier architecture that LayerZero had repeatedly warned against. This is the second major North Korean-linked crypto exploit in weeks, following the $285 million Drift hack.

حجم الخط

The exploit that drained roughly $292 million from KelpDAO's cross-chain bridge over the weekend was "likely" the work of North Korea's Lazarus Group, specifically its TraderTraitor subunit, LayerZero said in a preliminary analysis on Monday. Attackers drained 116,500 rsETH, a liquid restaking token backed by staked ether, from the KelpDAO bridge on Saturday, setting off withdrawals across the decentralized finance sector that pulled more than $10 billion out of lending protocol Aave. The attack carried the markings of "a highly-sophisticated state actor, likely DPRK's Lazarus Group," LayerZero said, specifying the group's TraderTraitor subunit. North Korea's cyber operations run under the Reconnaissance General Bureau, which houses several distinct units, including TraderTraitor, AppleJeus, APT38, and DangerousPassword, according to an analysis by Paradigm researcher Samczsun. Among these subunits, TraderTraitor has been flagged as the most sophisticated DPRK actor targeting crypto, previously linked to the Axie Infinity Ronin Bridge and WazirX compromises. LayerZero said that KelpDAO had used a single verifier to approve transfers in and out of the bridge, adding that it had repeatedly urged KelpDAO to use multiple verifiers instead. Going forward, LayerZero said it will stop approving messages for any application still running that setup. Observers say the exploit exposed how the bridge was built to trust a single verifier. It was "a single point of failure, regardless of what the marketing calls it," Shalev Keren, co-founder at cryptographic security firm Sodot, told Decrypt. A single compromised checkpoint was enough to allow the funds to leave the bridge, and no audit or security review could have fixed that flaw without "removing unilateral trust from the architecture itself," Keren said. That view was echoed by Haoze Qiu, Blockchain Lead at Grvt, who argued that, "Kelp DAO appears to have accepted a bridge security setup with too little redundancy for an asset of this scale," adding that LayerZero "also has accountability" given that "the compromise involved infrastructure tied to its validator stack, even if this was not described as a core protocol bug." The attackers came within three minutes of draining another $100 million before a rapid blacklist cut them off, according to an analysis by blockchain security firm Cyvers. The operation was based on tricking a single channel of communication, Cyvers CTO Meir Dolev told Decrypt. Attackers tapped two of the lines the verifier used to check whether a withdrawal had actually occurred on Unichain, fed it a fake "yes" on those lines, then knocked the remaining lines offline to force the verifier to rely on the compromised ones. "The vault was fine. The guard was honest. The door mechanism worked correctly," Dolev said. "The lie was whispered directly to the one party whose word opened the door." But while LayerZero, whose infrastructure powered the drained bridge, pointed to Lazarus as the likely culprit, Cyvers stopped short of the same attribution in its own analysis. Some patterns match DPRK-linked operations in sophistication, scale, and coordinated execution, Dolev said, but no wallet clustering tied to the group has been confirmed. The malicious node software was engineered to erase itself once the attack finished, wiping binaries and logs to obscure the attackers' trail in real time and in the post-mortem, he added. Earlier this month, attackers drained roughly $285 million from Solana-based perpetuals protocol Drift, in an exploit later attributed to North Korean operatives. Dolev noted that the Drift hack was "very different in terms of the preparations and execution," but both attacks required long lead times, deep expertise, and significant resources to pull off.

ما الذي يجب مراقبته

توقعات الذكاء الاصطناعي — احتمالات وليست حقائق

  • LayerZero will enforce multi-verifier requirements for all connected applications

    مرجح جداً · خلال أسابيع

  • Regulatory scrutiny of cross-chain bridge security will increase

    مرجح · خلال أشهر

  • DeFi protocols will accelerate migration to multi-sig security architectures

    مرجح · خلال أشهر

أسئلة مفتوحة

  • How did attackers compromise the verifier communication channel?
  • What specific vulnerabilities in LayerZero's infrastructure were exploited?
  • Will KelpDAO recover any of the stolen funds?

مواضيع ذات صلة

This article was originally published by Decrypt.

أخبار ذات صلة

Belgian Authorities Arrest Suspect in Major European Phishing and Money Laundering Network
يتطور·2 g önce

Belgian Authorities Arrest Suspect in Major European Phishing and Money Laundering Network

Belgian police arrested a 19-year-old suspected of leading a phishing and money-laundering network that stole over €500,000 using fake government emails. The suspect was found in an Airbnb in Antwerp, where a second individual was also apprehended. The investigation highlights crypto's role in laundering illicit funds and the broader threat of phishing to crypto investors.

Cointelegraph
المزيد حول هذا الموضوعkelpdao