North Korea's Lazarus Group Linked to $292 Million Kelp DAO DeFi Exploit
Blockchain infrastructure provider LayerZero has attributed the $292 million exploit against DeFi protocol Kelp DAO on April 18 to North Korea's Lazarus Group, the state-sponsored hacking organization responsible for billions of dollars in cryptocurrency theft. The attribution adds a geopolitical dimension to what was already one of the largest DeFi hacks of 2026, and triggered $10 billion in outflows from lending protocol Aave amid concerns about cascading bad debt.
How the Exploit Worked
The Kelp DAO exploit targeted a vulnerability in the protocol's cross-chain liquidity management system. Attackers were able to manipulate oracle price feeds used to value collateral positions, enabling them to drain the protocol's reserves before the on-chain safety mechanisms could respond. The speed and sophistication of the attack — executed across multiple chains in rapid sequence — is consistent with Lazarus Group's known technical capabilities and operational patterns.
The Aave Contagion
The hack triggered significant collateral damage to Aave, one of DeFi's largest lending protocols. Because Kelp DAO's rsETH token was accepted as collateral on Aave, the sudden loss of the underlying asset's backing created a bad debt situation that prompted $10 billion in withdrawals as liquidity providers rushed to exit before the protocol could be left holding undercollateralized positions. Aave's risk committees have since moved to delist rsETH and are evaluating the extent of permanent bad debt crystallized by the event.
Lazarus Group's DeFi Campaign
The Lazarus Group has been systematically targeting DeFi protocols for several years, with the United Nations estimating the group has stolen over $3 billion in cryptocurrency since 2017. The stolen funds are believed to fund North Korea's weapons programs, making cryptocurrency theft a significant national security concern. Despite sophisticated on-chain forensics enabling attribution, the decentralized nature of DeFi makes recovery of stolen funds extremely rare.
The Bottom Line
The Kelp DAO hack is another reminder that DeFi's composability — the property that makes it powerful — is also its greatest security liability. Every cross-chain integration and collateral relationship is a potential attack surface. As long as state-sponsored actors with nation-level resources target DeFi, protocols operating without formal security reviews and real-time monitoring will remain attractive targets.