An affected party identified a leading North Korean cybercrime group as the probable actor behind the KelpDAO bridge exploit that occurred on April 18, 2026. The attack resulted in the loss of approximately $290 million in tokens linked to a major Ethereum staking derivative.
Investigation findings indicate that two blockchain servers hosting LayerZero nodes were compromised, allowing the attacker to submit fraudulent cross-chain transfer requests and bypass multi-signature and timelock safeguards. Preliminary chain analysis revealed suspicious transactions routing stolen funds through multiple mixing services.
DeFi security experts warn that bridges represent a critical vulnerability in cross-chain infrastructure. The KelpDAO incident alone accounts for over 47% of total DeFi hack losses in April 2026, according to aggregated data. Public on-chain analytics paused other bridge activities pending validation, and several platforms initiated emergency withdrawals of user funds.
LayerZero released a statement confirming the breach, attributing it to a “highly sophisticated state actor” and asserting that no other assets or protocols outside of KelpDAO were affected. Users were advised to withdraw remaining assets from at-risk contracts and to monitor decentralised exchange listings for unusual token movements.
Following the exploit, blockchain forensic specialists and law enforcement agencies initiated tracing efforts. U.S. sanctions authorities have been notified, given the suspected DPRK involvement and the use of stolen funds to support prohibited weapons programmes. Tracking efforts focus on identifying exit points across centralised exchanges and darknet markets.
Industry stakeholders emphasise the need for enhanced auditing, proof-of-reserve disclosures and the adoption of multi-party computation key management solutions. The incident has reignited debate over the security trade-offs inherent in cross-chain interoperability and the limits of on-chain trust minimisation.
Comments (0)