LayerZero announces that the North Korean hacking group 'Lazarus' was involved in the KelpDAO hacking incident, which amounted to 50 billion yen.

Regarding the hacking incident in which KelpDAO, an Ethereum restaking platform, was attacked and approximately $292 million (approximately 46.4 billion yen) worth of the cryptocurrency 'rsETH' was stolen, LayerZero, which provided infrastructure to KelpDAO, announced that 'it is highly likely that a North Korean hacking group carried out the attack.'

https://t.co/3vIHs3Xgs4

— LayerZero (@LayerZero_Core) April 20, 2026

KelpDAO is a service that allows users to deposit Ethereum to participate in network verification and receive a share of transaction fees through 'staking,' as well as to earn additional rewards by participating in verification of cryptocurrencies other than Ethereum through 'restaking.'

When you deposit Ethereum into KelpDAO, an equivalent amount of cryptocurrency called 'rsETH' is issued. By returning rsETH to KelpDAO, you can withdraw the deposited Ethereum and rewards, so rsETH had almost the same value as Ethereum.

LayerZero is a protocol that connects different blockchains. With LayerZero, the user first deposits and locks their cryptocurrency into a smart contract on the source chain. Then, the asset custody notification issued by the smart contract is sent to a decentralized verification network (DVN) to be verified as a 'legitimate asset custody notification.'

Based on the DVN results, the executor sends asset custody notification information to the destination chain, and the destination chain issues new cryptocurrency equivalent to the deposited assets.

KelpDAO, which was hacked in this instance, also used LayerZero when sending rsETH to another chain.

DVN in the LayerZero protocol offers flexible configuration options, allowing applications to build their own security systems, such as 'installing multiple DVNs and considering verification successful if a majority of them are deemed legitimate.' While LayerZero recommended configuring multiple DVNs, KelpDAO operated with only one DVN managed by LayerZero.

In this hacking attack, the hackers generated a 'fictitious rsETH asset custody notification,' then attacked LayerZero's DVN, modifying it to recognize the notification as legitimate. In this way, they succeeded in generating cryptocurrency based on fictitious custody assets on a different chain.

The chart below shows the price movements of Ethereum (purple) and rsETH (orange) before and after the attack. The value of rsETH, whose underlying assets were questioned, plummeted, falling by as much as 30% compared to Ethereum.

LayerZero announced that the North Korean hacking group 'Lazarus' is highly likely to be involved in this hacking incident. They also stated that 'the cause was KelpDAO's single DVN configuration,' and emphasized KelpDAO's responsibility, saying that 'despite having previously communicated best practices regarding DVN decentralization, KelpDAO continued with a single DVN configuration' and that 'there were no vulnerabilities in the protocol.'

LayerZero will no longer be tested in single-DVN configurations. They also state that this will not affect applications using multi-DVN configurations.