Lead story
Lazarus Group Pulls Off $290M KelpDAO Heist in Sophisticated Infrastructure Attack
North Korea's Lazarus Group is suspected of pulling off one of the year's biggest crypto heists — a $290 million theft from the KelpDAO decentralised finance platform — and the method used is worth paying close attention to. This wasn't a simple smart contract exploit or a phishing link. The attackers went after LayerZero's Decentralised Verifier Network (DVN), the cross-chain messaging infrastructure that KelpDAO relied on to move assets between blockchains.
Here's how it worked. LayerZero's DVN uses multiple independent nodes to verify cross-chain transactions. The attackers reportedly compromised certain RPC (remote procedure call) endpoints — essentially the communication channels those nodes depend on — and simultaneously launched DDoS attacks against others. The chaos triggered automatic failover mechanisms, routing traffic to infrastructure the attackers had already poisoned. With control of enough verification nodes, they could approve fraudulent transactions. The bridge between chains became the weapon.
This is a meaningful escalation in technique. Most DeFi hacks target the smart contracts sitting on top of infrastructure. Attacking the verification layer underneath is harder, stealthier, and far more damaging — because if you control the referee, you control the game. Lazarus has been steadily climbing this learning curve, and the $1.5 billion Bybit theft earlier this year showed they're willing to invest serious operational effort into each attack.
The attribution to Lazarus carries its own weight. North Korea is estimated to have stolen somewhere north of $3 billion in crypto since 2017, with much of it funding the regime's weapons programmes. The US Treasury, the UN, and multiple blockchain intelligence firms have tracked the money trails. The KelpDAO funds are already moving through mixers and cross-chain bridges in the patterns analysts have come to recognise as Lazarus tradecraft.
What this means for DeFi builders and users. Cross-chain bridges remain the single most dangerous piece of infrastructure in the ecosystem. The security model for most bridges assumes that the verification layer is trustworthy — but that assumption is only as good as the security posture of every RPC provider in the network. A DDoS-triggered failover to malicious infrastructure is an attack vector that almost no bridge has explicitly designed against.
For users, the risk calculus hasn't changed: assets sitting in cross-chain bridge contracts are targets, and the bigger the bridge, the bigger the prize. For builders, the KelpDAO incident is an argument for redundant RPC sources, explicit failover security policies, and circuit breakers that halt high-value transfers when the verification network degrades rather than rerouting to backup nodes.
What to watch. Blockchain intelligence firms are already tagging the wallets associated with this heist. The speed at which Lazarus can launder funds has improved — expect to see mixer and bridge activity in the coming days as they attempt to fragment and move the money before exchanges can blacklist the addresses. Whether any of it is recoverable is, realistically, unlikely.