Cryptonews

North Korean Cyber Operatives Siphon Nearly $300 Million in Cross-Chain Heist Targeting KelpDAO's LayerZero Protocol

Source
CryptoNewsTrend
Published
North Korean Cyber Operatives Siphon Nearly $300 Million in Cross-Chain Heist Targeting KelpDAO's LayerZero Protocol

Key facts The breach that emptied the KelpDAO cross-chain bridge on 18 April 2026 began six weeks earlier. On 6 March, a LayerZero Labs developer cloned a malicious GitHub repository, installing FLATROOF and ROOFDECK malware on a company device. The malware gave attackers remote access and allowed them to harvest session keys for LayerZero's remote procedure call (RPC) infrastructure.

Cybersecurity firms Mandiant and CrowdStrike attributed the attack with high confidence to UNC4899, also known as TraderTraitor — a North Korean state-linked threat group. The total stolen was $292 million at market prices on the day of the breach, according to LayerZero's final incident report published 18 May 2026.

A forged cross-chain message released 116,500 rsETH after a single verifier node was compromisedLayerZero's architecture relies on decentralised verifier networks (DVNs) to confirm cross-chain messages are legitimate before bridge contracts release funds. On 18 April, attackers injected malicious code into two of LayerZero's internal RPC server clusters. The injected code made those servers return forged blockchain state to the DVN signing service while appearing normal to monitoring tools.

Simultaneously, the attackers launched a distributed denial-of-service attack against LayerZero's external RPC provider. That forced the DVN to fall back exclusively onto the two compromised internal nodes. The DVN produced a valid attestation for a forged cross-chain message, and the Ethereum bridge contract released 116,500 rsETH — KelpDAO's liquid restaking token — to the attacker's address. No other application on the LayerZero network was affected.

LayerZero admits it failed to monitor how its own verifier secured high-value transfersKelpDAO's bridge had previously operated with two DVNs required to attest each message — a 2-of-2 configuration. It had been changed to require only one verifier, the LayerZero Labs DVN itself, creating a single point of failure. LayerZero initially attributed responsibility to KelpDAO's configuration choice. It reversed that position on 8 May 2026.

"We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.", 8 May 2026.

— LayerZero Labs 

Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Cybersecurity firms Mandiant and CrowdStrike attributed the attack with high confidence to UNC4899, also known as TraderTraitor — a North Korean state-linked threat group. The total stolen was $292 million at market prices on the day of the breach, according to LayerZero's final incident report published 18 May 2026.

A forged cross-chain message released 116,500 rsETH after a single verifier node was compromisedLayerZero's architecture relies on decentralised verifier networks (DVNs) to confirm cross-chain messages are legitimate before bridge contracts release funds. On 18 April, attackers injected malicious code into two of LayerZero's internal RPC server clusters. The injected code made those servers return forged blockchain state to the DVN signing service while appearing normal to monitoring tools.

Simultaneously, the attackers launched a distributed denial-of-service attack against LayerZero's external RPC provider. That forced the DVN to fall back exclusively onto the two compromised internal nodes. The DVN produced a valid attestation for a forged cross-chain message, and the Ethereum bridge contract released 116,500 rsETH — KelpDAO's liquid restaking token — to the attacker's address. No other application on the LayerZero network was affected.

LayerZero admits it failed to monitor how its own verifier secured high-value transfersKelpDAO's bridge had previously operated with two DVNs required to attest each message — a 2-of-2 configuration. It had been changed to require only one verifier, the LayerZero Labs DVN itself, creating a single point of failure. LayerZero initially attributed responsibility to KelpDAO's configuration choice. It reversed that position on 8 May 2026.

"We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.", 8 May 2026.

— LayerZero Labs 

Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 LayerZero's architecture relies on decentralised verifier networks (DVNs) to confirm cross-chain messages are legitimate before bridge contracts release funds. On 18 April, attackers injected malicious code into two of LayerZero's internal RPC server clusters. The injected code made those servers return forged blockchain state to the DVN signing service while appearing normal to monitoring tools.

Simultaneously, the attackers launched a distributed denial-of-service attack against LayerZero's external RPC provider. That forced the DVN to fall back exclusively onto the two compromised internal nodes. The DVN produced a valid attestation for a forged cross-chain message, and the Ethereum bridge contract released 116,500 rsETH — KelpDAO's liquid restaking token — to the attacker's address. No other application on the LayerZero network was affected.

LayerZero admits it failed to monitor how its own verifier secured high-value transfersKelpDAO's bridge had previously operated with two DVNs required to attest each message — a 2-of-2 configuration. It had been changed to require only one verifier, the LayerZero Labs DVN itself, creating a single point of failure. LayerZero initially attributed responsibility to KelpDAO's configuration choice. It reversed that position on 8 May 2026.

"We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.", 8 May 2026.

— LayerZero Labs 

Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Simultaneously, the attackers launched a distributed denial-of-service attack against LayerZero's external RPC provider. That forced the DVN to fall back exclusively onto the two compromised internal nodes. The DVN produced a valid attestation for a forged cross-chain message, and the Ethereum bridge contract released 116,500 rsETH — KelpDAO's liquid restaking token — to the attacker's address. No other application on the LayerZero network was affected.

LayerZero admits it failed to monitor how its own verifier secured high-value transfersKelpDAO's bridge had previously operated with two DVNs required to attest each message — a 2-of-2 configuration. It had been changed to require only one verifier, the LayerZero Labs DVN itself, creating a single point of failure. LayerZero initially attributed responsibility to KelpDAO's configuration choice. It reversed that position on 8 May 2026.

"We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.", 8 May 2026.

— LayerZero Labs 

Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 KelpDAO's bridge had previously operated with two DVNs required to attest each message — a 2-of-2 configuration. It had been changed to require only one verifier, the LayerZero Labs DVN itself, creating a single point of failure. LayerZero initially attributed responsibility to KelpDAO's configuration choice. It reversed that position on 8 May 2026.

"We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.", 8 May 2026.

— LayerZero Labs 

Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 "We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.", 8 May 2026.

— LayerZero Labs 

Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Following the admission, LayerZero stated its DVN would no longer sign attestations for any application using a 1-of-1 configuration. Protocol defaults across all pathways were raised to a minimum of 3-of-3 verifiers.

Solv Protocol moves $700 million in tokenised Bitcoin bridge infrastructure away from LayerZeroSolv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Solv Protocol, which manages tokenised Bitcoin products, announced it would migrate over $700 million in bridge infrastructure away from LayerZero after conducting a security review. Kelp also migrated its rsETH bridge away from LayerZero's Omnichain Fungible Token standard to an alternative cross-chain protocol. Both announcements followed the public disclosure of the exploit and LayerZero's admission of fault.

DeFi bridge security standards face scrutiny as Ethereum absorbs the falloutEthereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Ethereum traded at $1,980 at the time of publication, down 5.5% over the past seven days (CoinPaprika, 2 June 2026). The broader Ethereum DeFi ecosystem hosts the bulk of cross-chain bridge infrastructure by total value locked and is reassessing security assumptions in the wake of the incident.

The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 The KelpDAO breach exposed a risk that extends beyond LayerZero alone. Any bridge relying on a single verifier to attest high-value cross-chain messages carries equivalent structural exposure. The Arbitrum Security Council froze 30,766 ETH in downstream funds linked to the attacker on 20 April 2026, partially limiting the breach's wider market impact.

Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Primary source: LayerZero Labs — An Overdue Apology, 8 May 2026 Cryptocurrencies are highly volatile and involve significant risk. You may lose part or all of your investment. All information on Coinpaprika is provided for informational purposes only and does not constitute financial or investment advice. Always conduct your own research (DYOR) and consult a qualified financial advisor before making investment decisions. Coinpaprika is not liable for any losses resulting from the use of this information.

North Korean Cyber Operatives Siphon Nearly $300 Million in Cross-Chain Heist Targeting KelpDAO's LayerZero Protocol