State-backed hackers are the most likely perpetrators of the largest crypto heist so far this year after liquid restaking protocol KelpDAO was struck over the weekend.
The decentralized finance (DeFi) specialist works by accepting Liquid Staking Tokens (LSTs) like stETH, ETHx or sfrxETH, and issuing a liquid token, rsETH, in return.
However, the firm said on Saturday that it identified “suspicious cross-chain activity involving rsETH,” forcing it to pause activity.
It appears that threat actors stole 116,500 rsETH, worth around $293m, before funnelling it through Tornado Cash in a bid to throw off investigators.
Read more on DeFi crypto heists: DeFi Protocol Balancer Loses Over $120m in Cyber Heist
KelpDAO is reportedly blaming the LayerZero infrastructure it runs on for the security breach, with the latter hitting back that it was the fault of KelpDAO’s specific configuration.
The LayerZero protocol uses Decentralized Verifier Networks (DVNs) which are independent entities responsible for verifying the integrity of cross-chain messages. On April 18, North Korea’s Lazarus Group targeted its LayerZero Labs DVN by poisoning downstream RPC infrastructure, the firm said.
“The attacker was able to gain access to the list of RPCs our DVN uses, compromise two of them – which were independent nodes running on separate clusters without direct connection to each other – and swap out binaries running the op-geth nodes,” LayerZero explained.
“Because of our least-privilege principles, they were unable to compromise the actual DVN instances. However, they used this pivot point to execute an RPC-spoofing attack.”
The threat actors then launched a DDoS attack against the non-compromised RPCs, triggering a failover to the poisoned ones. This allowed them to send a forged cross-chain message which was accepted as valid, enabling the unauthorized rsETH transfer.
LayerZero Hits Back
LayerZero has blamed KelpDAO for running a DVN architecture that contradicts its best practice multi-DVN advice.
“Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message. LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO,” it said.
“Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration. A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.”
Fortunately, around a quarter of the stolen funds, amounting to around 30,766 ETH ($71m) has been frozed by Arbitrum’s Security Council.
A Sophisticated Raid
Experts argued that Lazarus Group is demonstrating increasingly sophisticated operational capabilities.
“These environments are not being tested by smash and grab actors, they are being pressured by disciplined adversaries who understand how to chain together weak points across infrastructure, applications, and trust relationships,” said AttackIQ CISO, Pete Luban. “Groups like Lazarus are not just walking away richer, they are walking away better, with more resources to scale tooling, refine techniques, and reinvest in future campaigns.”
Nick Tausek, lead security automation architect at Swimlane, agreed that the attack demonstrated a familiar North Korean pattern of “patient intrusion, manipulation of trust, and detection suppression.”
He added: “By compromising infrastructure tied to LayerZero’s verifier role, they’ve stepped into a trusted position in the transaction flow and abused that trust to push forged messages downstream. That’s what makes third-party breaches so dangerous in crypto: the blast radius rarely stops with the initial victim.”