KelpDAO's $290 Million DeFi Breach: A Wake-Up Call for Cross-Chain Security
Executive Summary
In April 2026, KelpDAO, a decentralized finance (DeFi) platform, suffered a significant security breach resulting in the theft of approximately $290 million worth of rsETH tokens. The attackers exploited vulnerabilities in KelpDAO's cross-chain bridge, specifically targeting the verification layer by compromising remote procedure call (RPC) nodes. This manipulation allowed them to forge cross-chain messages and illicitly transfer funds. Preliminary investigations attribute the attack to North Korea's state-sponsored Lazarus Group, known for sophisticated cyber operations targeting financial institutions.
This incident underscores the critical importance of robust security configurations in DeFi platforms, particularly concerning cross-chain interoperability. The reliance on a single-verifier setup without redundancy exposed KelpDAO to this exploit. As DeFi continues to evolve, ensuring multi-layered security measures and adhering to best practices in system architecture are imperative to mitigate such risks.
Why This Matters Now
The KelpDAO breach highlights the urgent need for DeFi platforms to implement multi-verifier configurations and enhance cross-chain security protocols to prevent similar sophisticated attacks.
Attack Path Analysis
The attackers compromised KelpDAO's RPC nodes, feeding falsified data to the verifier and DDoS-ing healthy nodes to force reliance on the compromised ones. This allowed them to escalate privileges by forging cross-chain messages, enabling unauthorized transactions. They moved laterally by exploiting the single-verifier setup, facilitating further unauthorized actions. Command and control were maintained through the compromised infrastructure, allowing continuous manipulation of the system. Exfiltration occurred as the attackers transferred 116,500 rsETH, valued at approximately $290 million, through Tornado Cash to obscure the trail. The impact was a significant financial loss and disruption to KelpDAO's operations.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised KelpDAO's RPC nodes, feeding falsified data to the verifier and DDoS-ing healthy nodes to force reliance on the compromised ones.
MITRE ATT&CK® Techniques
Valid Accounts
Network Denial of Service
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Application Layer Protocol: Web Protocols
Data Manipulation: Stored Data Manipulation
Application Layer Protocol: DNS
Application Layer Protocol: File Transfer Protocols
Application Layer Protocol: Mail Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network and Environment Segmentation
Control ID: 3.1
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
State-sponsored APT groups like Lazarus target DeFi protocols through sophisticated cross-chain attacks, requiring enhanced encrypted traffic monitoring and egress security controls.
Capital Markets/Hedge Fund/Private Equity
$290 million crypto heist demonstrates vulnerability to blockchain verification layer compromises, necessitating zero trust segmentation and multicloud visibility for digital asset protection.
Computer/Network Security
Advanced RPC node compromise and DDoS tactics by DPRK actors highlight need for threat detection capabilities and secure hybrid connectivity solutions.
Investment Banking/Venture
Sophisticated six-month social engineering operations targeting crypto investments require enhanced anomaly detection and egress policy enforcement against state-sponsored threats.
Sources
- KelpDAO suffers $290 million heist tied to Lazarus hackershttps://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/Verified
- LayerZero Blames Lazarus for $290M KelpDAO Hack, Cites Single-Point Designhttps://www.banklesstimes.com/articles/2026/04/20/layerzero-blames-lazarus-for-290m-kelpdao-hack-cites-single-point-design/Verified
- LayerZero Post Mortem Shows Lazarus Group Stole $290M From KelpDAO via RPC Node Compromisehttps://thedefiant.io/news/hacks/lazarus-kelpdao-290m-layerzero-rpc-hack-da50p3Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit implicit trust within KelpDAO's cloud infrastructure, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to inject falsified data into the verifier would likely be constrained, reducing the effectiveness of the initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through forged messages would likely be constrained, reducing the scope of unauthorized transactions.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the system would likely be constrained, reducing the reach of unauthorized actions.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain control through compromised infrastructure would likely be constrained, reducing continuous system manipulation.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate large sums through anonymizing services would likely be constrained, reducing the success of data theft.
The financial loss and operational disruption would likely be reduced, limiting the overall impact of the breach.
Impact at a Glance
Affected Business Functions
- Asset Management
- User Fund Security
- Cross-Chain Transactions
Estimated downtime: 7 days
Estimated loss: $290,000,000
No sensitive data exposure reported; the incident primarily involved unauthorized asset transfers.
Recommended Actions
Key Takeaways & Next Steps
- • Implement a multi-verifier setup to eliminate single points of failure.
- • Enhance monitoring and anomaly detection to identify and respond to DDoS attacks promptly.
- • Strengthen access controls and regularly audit RPC nodes to prevent unauthorized access.
- • Utilize encrypted traffic solutions to secure data in transit and prevent data manipulation.
- • Establish comprehensive incident response plans to mitigate the impact of potential breaches.
