Lazarus Group Strikes Again: DeFi Sector Hit with $290M Breach

A devastating security breach struck the decentralized finance (DeFi) sector on April 18, 2026, with Kelp DAO suffering losses of approximately $290-293 million.

The attack was attributed to North Korea's Lazarus Group, which utilized a sophisticated tactic to infiltrate LayerZero's verification system. The group exploited a vulnerability in the system by compromising two remote procedure call nodes and delivering fraudulent information to the verifier.

LayerZero had previously warned Kelp about the risks of operating with a single-verifier architecture, but the protocol chose to disregard these warnings. As a result, the attackers were able to transmit confirmation of a legitimate transaction to the verifier, releasing 116,500 rsETH tokens to their wallets.

The stolen tokens were then deployed as collateral across various lending platforms, including Aave, which absorbed the most significant damage. Aave's native token plummeted approximately 15% within a 24-hour period, and the protocol experienced roughly $6 billion in withdrawals.