Kelp DAO $292M Exploit Becomes 2026's Largest — LayerZero Points to North Korea's TraderTraitor Unit

A bridge misconfiguration dragged $13.2B out of DeFi in 48 hours. Now the two parties are blaming each other over who chose the single verifier.

Kelp DAO $292M exploit cover showing $13.2B DeFi TVL drop over 48 hours, attributed to Lazarus-linked TraderTraitor
Illustration: BlockAI News · Data: LayerZero, DefiLlama

What happened

On April 19, attackers drained approximately $292M in rsETH from Kelp DAO's bridge, making it the largest DeFi exploit of 2026. LayerZero said attackers compromised two RPC nodes the verifier relied on, then used a DDoS to force failover, tricking the bridge into approving a fraudulent cross-chain transaction.

Attribution: TraderTraitor / Lazarus

LayerZero attributed the attack with "preliminary confidence" to North Korea's Lazarus Group and its TraderTraitor subunit. TechCrunch, CoinDesk, and Bloomberg all carried the attribution on April 20.

Contagion: $13.21B DeFi TVL wipe

Aave lost $8.45B in deposits over 48 hours as users withdrew collateral; total DeFi TVL across chains fell from $99.5B to $86.3B — a $13.21B swing. AAVE fell 6% on the day.

The blame game

LayerZero said the incident stemmed from Kelp's decision to use a 1-of-1 verifier configuration despite prior warnings, and will stop signing messages for projects using that setup. Kelp retorted that LayerZero's own quickstart guide and default GitHub config specify exactly that 1/1 setup, and that 40% of LayerZero protocols currently use it.

BlockAI Take

This is less a smart-contract failure than a governance failure baked into "secure defaults." If 40% of LayerZero's surface area runs the same 1/1 verifier config Kelp used, the next exploit is a configuration change away, not a code audit away. Expect a flurry of "multi-verifier upgrade" announcements by week's end.

KelpDAO Incident Statement
On April 18, 2026, KelpDAO was exploited for approximately $290M. Preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.

Get tomorrow's DeFi security brief in your inbox →

How we report: This article cites primary sources, regulatory filings, and on-chain data where available. BlockAI News uses AI tools to assist with research and first-draft generation; every article is reviewed and edited by a human editor before publication. Read our full How We Report page, Editorial Policy, AI Use Policy, and Corrections Policy.

Keep Reading

Bitget Lists Superform: The Cross-Chain Yield Aggregator That Wants to Be the Default DeFi Front End

Bitget Lists Superform: The Cross-Chain Yield Aggregator That Wants to Be the Default DeFi Front End

Of the cross-chain yield products that have shipped since the Aave-Compound-Yearn era, Superform is the one most willing to call itself a consumer bank. That branding choice was a marketing risk for two years — onchain banks are a regulatory hot button, and "neobank" is a category most DeFi teams have stayed away from. The risk paid off this week. Bitget added Superform's UP token to spot trading on May 19, the same week SuperVaults v2 launched, the same week the team expanded its US mobile

Read full story →

Stay Ahead of the Market

Daily AI & crypto briefings — straight to your inbox, your phone, and your timeline.