North Korea’s Lazarus Group exploited a single-verifier LayerZero setup to drain $290M in rsETH on April 18 by compromising RPC infrastructure and poisoning the bridge’s data feeds.
On April 18, 2026, North Korea’s Lazarus Group (TraderTraitor unit) executed a $290M theft from KelpDAO’s rsETH bridge by compromising two LayerZero RPC nodes that feed data to the protocol’s verifier. The attacker hacked the nodes, deployed malware to feed false transaction data exclusively to LayerZero’s verifier while maintaining honest responses to monitoring systems, then DDoS’d legitimate RPC endpoints to force the verifier to rely on the poisoned nodes. Once the verifier signed off on a fabricated transaction, the bridge released $290M in unbacked rsETH before the malware self-destructed and deleted all traces.
LayerZero Labs confirmed KelpDAO used a 1-of-1 DVN (Decentralized Verifier Network) setup—a single point of failure the protocol had repeatedly warned against—limiting contagion to KelpDAO’s bridge with no reported impact on other assets. Security researchers noted the attack vector raises unanswered questions about how the attacker obtained the RPC node list and achieved root-level access to production infrastructure, suggesting either a prior unreported LayerZero compromise, a breached deployment pipeline, or insider access rather than a Kelp-side misconfiguration.
Sources: LayerZero
This article was generated automatically by The Defiant’s AI news system from publicly available sources.
