KelpDAO suffered a $290 million loss on April 18 in a sophisticated security breach linked to the Lazarus Group, specifically an actor known as TraderTraitor, according to early reports. The attack targeted LayerZero infrastructure and exploited configuration weaknesses in KelpDAO’s verification systems. David Schwartz noted on April 20, 2026, that “the attack was way more sophisticated than I expected and aimed at LayerZero infrastructure taking advantage of KelpDAO laziness.”
How the Attack Happened
The attack employed a multi-stage approach rather than a simple exploit. Attackers first targeted the RPC system used by LayerZero’s verification network, then launched a DDoS attack to disrupt normal operations. When the system switched to backup nodes, attackers executed their key objective: those backup nodes had already been compromised, allowing them to send false signals and confirm transactions that never actually occurred. Notably, no core protocol or private keys were broken. Instead, the attack exploited weak points in the system’s configuration, demonstrating the sophistication of modern cyber threats.
Single Point of Failure as Root Cause
The fundamental vulnerability stemmed from KelpDAO’s configuration design. The platform relied on a 1-of-1 verification setup, meaning only a single verifier confirmed transactions with no backup verification layer. Once that single system was compromised, the attack succeeded without any secondary defense. Experts noted this created a clear single point of failure. LayerZero had previously recommended using multiple verifiers, and a multi-layer verification setup could have prevented the attack entirely.
Impact and Scope
While the loss was substantial, damage remained contained to a specific area. Reports confirm the breach affected only KelpDAO’s rsETH product, with other assets and applications remaining unaffected. LayerZero quickly replaced the compromised systems and restored normal operations. Teams are working with investigators to track the stolen funds. The incident has raised industry-wide concerns about configuration security in advanced systems.
Implications for Crypto Security
The incident underscores that security depends not only on code strength but also on system configuration and management practices. The involvement of the Lazarus Group—a cyber group historically linked to large-scale exploits—adds significant concern, as their methods continue to evolve. Going forward, projects may increasingly prioritize redundancy and risk control mechanisms. Multi-layer verification could become an industry standard. The KelpDAO attack serves as a warning that even one weak point in system architecture can result in massive losses. As the crypto space expands, security practices must evolve proportionally.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
AI16Z, ELIZAOS Creators Sued Over $2.6B Fraud Allegations; Token Crashes 99.9% From Peak
Federal class action accuses AI16Z/ELIZAOS of a $2.6B crypto fraud via fake AI claims and deceptive marketing, alleging insider favoritism and a staged autonomous system; seeks damages under consumer protection laws.
Abstract: This report covers a SDNY federal class-action filed April 21 accusing AI16Z and its rebrand ELIZAOS of a $2.6 billion crypto fraud involving fake AI claims and deceptive marketing. The suit alleges a manufactured link with Andreessen Horowitz and a non-autonomous system. It details a peak valuation in early 2025, a 99.9% crash, and about 4,000 losing wallets, with insiders receiving ~40% of new tokens. Plaintiffs seek damages and equitable relief under New York and California consumer-protection laws. Regulators in Korea and major exchanges have warned or suspended related trading.
GateNews33m ago
SlowMist Alerts: Active MacSync Stealer macOS Malware Targeting Crypto Users
SlowMist warns of MacSync Stealer (v1.1.2) for macOS that steals wallets, credentials, keychains, and infra keys, using spoofed AppleScript prompts and fake 'unsupported' errors; urges caution and awareness of IOCs.
Abstract: This report summarizes SlowMist's alert about MacSync Stealer (v1.1.2), a macOS information stealer targeting cryptocurrency wallets, browser credentials, system keychains, and infrastructure keys (SSH, AWS, Kubernetes). It deceives users with spoofed AppleScript dialogs prompting for passwords and visible fake 'unsupported' messages. SlowMist provides IOCs to customers and advises avoiding unverified macOS scripts and remaining vigilant for unusual password prompts.
GateNews1h ago
North Korean Lazarus Group Deploys Mach-O Man Malware to Steal Crypto Wallet Credentials from macOS Users
Lazarus releases Mach-O Man for macOS to steal keychain data and wallet credentials, targeting crypto executives via ClickFix pop-ups and compromised Telegram meetings.
Abstract: The article reports that the Lazarus-linked Mach-O Man malware targets macOS to exfiltrate keychain data, browser credentials, and login sessions to access cryptocurrency wallets and exchange accounts. Distribution relies on ClickFix social engineering and compromised Telegram accounts directing victims to fake meeting links. The piece ties the operation to the April 20 Kelp DAO hack and identifies TraderTraitor as Lazarus-affiliated, noting rsETH movement across blockchains via LayerZero’s OFT standard.
GateNews2h ago
ZachXBT Warns Against Bitcoin Depot ATM Over 44% Bitcoin Markup
ZachXBT warns Bitcoin Depot ATMs impose steep premiums—$25k fiat at $108k/BTC vs ~$75k market (about 44%), leading to ~ $7.5k loss on 0.232 BTC; also notes a $3.26M security breach.
This article summarizes ZachXBT's warnings about Bitcoin Depot's pricing practices and a recent security breach, highlighting risks from inflated rates and security lapses for users.
GateNews3h ago
Privacy Protocol Umbra Shuts Down Frontend to Block Attackers from Laundering Stolen Kelp Funds
Gate News message, April 22 — Privacy protocol Umbra has shut down its frontend website to prevent attackers from using the protocol to transfer stolen funds following recent attacks, including the Kelp protocol breach that resulted in losses exceeding $280 million. Approximately $800,000 in stolen
GateNews5h ago
Misty 23pds Alert: Lazarus Group releases a new macOS toolkit targeting cryptocurrencies
Misty’s Chief Information Security Officer 23pds issued an alert on April 22, stating that the North Korean hacking group Lazarus Group has released a new native macOS malware toolkit called “Mach-O Man,”专a专专专專專專 specialized in the cryptocurrency industry and high-value enterprise executives.
MarketWhisper7h ago
