North Korean hackers executed a sophisticated $290 million cryptocurrency theft from Kelp DAO on April 21, targeting LayerZero's Decentralized Verifier Network (DVN) through a coordinated attack on remote procedure calls (RPCs). The attackers compromised certain RPCs while simultaneously launching distributed denial-of-service (DDoS) attacks on others, forcing the system to failover to infrastructure they had already poisoned. This massive heist represents one of the largest cryptocurrency thefts of 2026 and highlights the evolving sophistication of nation-state actors in the crypto space.
***
The attack demonstrates how threat actors are increasingly targeting the complex infrastructure underlying decentralized finance protocols rather than going after end users directly. By exploiting the failover mechanisms designed to ensure system reliability, the hackers turned a security feature into a vulnerability, showcasing the intricate planning and technical expertise associated with North Korean cyber operations that have stolen billions in cryptocurrency over recent years.
Sophisticated Infrastructure Attack
The Kelp DAO attack represents a new level of sophistication in cryptocurrency theft, targeting the underlying infrastructure rather than traditional attack vectors like phishing or smart contract vulnerabilities. The hackers focused on LayerZero's Decentralized Verifier Network, a critical component that validates cross-chain transactions and ensures the integrity of multi-blockchain operations. By compromising multiple RPCs simultaneously while launching DDoS attacks on backup systems, the attackers created a scenario where the network would automatically failover to their controlled infrastructure.
This dual-pronged approach required extensive reconnaissance and coordination, suggesting months of preparation and deep technical knowledge of LayerZero's architecture. The attackers had to identify critical RPC endpoints, establish persistent access to compromise them, and then time their DDoS attacks precisely to trigger the failover mechanism. The $290 million theft occurred during this brief window when the poisoned infrastructure was processing legitimate transactions, allowing the hackers to redirect funds to wallets under their control.
North Korean Crypto Operations
Security researchers have attributed this attack to North Korean threat actors based on several indicators, including the sophisticated technical approach, the targeting of cryptocurrency infrastructure, and blockchain analysis showing fund movement patterns consistent with previous North Korean operations. The hermit kingdom has increasingly turned to cryptocurrency theft to circumvent international sanctions, with estimates suggesting North Korean hackers have stolen over $3 billion in cryptocurrency since 2017. These operations are believed to be conducted by various groups under the Reconnaissance General Bureau, North Korea's primary intelligence agency.
The timing and scale of this attack align with North Korea's pattern of major cryptocurrency thefts, which often coincide with periods of increased international pressure or economic strain. Previous high-profile attacks attributed to North Korean groups include the 2022 Ronin Network breach that netted $625 million and numerous exchanges targeted through 2023 and 2024. The funds from these operations are typically laundered through complex mixing services and converted to support the regime's weapons programs and other sanctioned activities.
LayerZero Protocol Vulnerabilities
LayerZero's omnichain protocol, designed to enable seamless communication between different blockchains, relies heavily on its network of decentralized verifiers and RPCs to maintain security and reliability. The protocol's architecture includes multiple redundancy layers and failover mechanisms intended to prevent single points of failure, but the Kelp DAO attack exposed how these safety measures could be weaponized by sophisticated attackers. The simultaneous compromise of primary RPCs and DDoS attacks on backups created a perfect storm that allowed the attackers to manipulate transaction verification.
Industry experts note that while LayerZero's multi-layered approach generally provides strong security, the complexity of managing multiple verification sources across different blockchains creates an expanded attack surface. The protocol's reliance on external infrastructure providers for RPCs introduces dependencies that may not be fully under the protocol's security control. This incident is likely to prompt significant changes to how cross-chain protocols design their verification mechanisms and manage failover scenarios.
Broader DeFi Security Implications
The Kelp DAO breach occurs against a backdrop of increasing sophistication in cryptocurrency attacks, with 2025 seeing a 15% increase in zero-day vulnerabilities exploited in the wild compared to 2024. According to recent data, attackers are now weaponizing security flaws in approximately five days, while organizations typically require 60-150 days for patching. This growing gap between discovery and remediation creates windows of opportunity that sophisticated nation-state actors are increasingly exploiting.
The attack also highlights the evolving role of artificial intelligence in cybersecurity, with threat actors using AI-assisted tools for faster reconnaissance and exploit development. Recent reports indicate that AI is enabling attackers to complete the full exploitation cycle from initial reconnaissance to development much more rapidly than traditional methods. Meanwhile, defensive AI measures are being deployed to monitor behavioral patterns and detect anomalous activities, though the arms race between attackers and defenders continues to intensify.
The 2025 GTIG warned AI speeds the full exploitation cycle from reconnaissance to development, and we're seeing attackers weaponize flaws in about five days versus organizations' 60-150 days for patching.
Industry Response and Future Outlook
The cryptocurrency industry is responding to this latest major theft with calls for enhanced infrastructure security standards and better coordination between cross-chain protocols and their service providers. Several major DeFi protocols have announced security reviews of their own RPC dependencies and failover mechanisms following the Kelp DAO incident. The attack has also renewed discussions about the need for more robust verification systems that don't rely heavily on external infrastructure providers that may be outside the direct security control of protocol operators.
Looking ahead, this incident is expected to accelerate the adoption of more sophisticated monitoring and verification technologies, including AI-powered anomaly detection systems that can identify suspicious patterns in real-time. The crypto industry's ongoing maturation includes developing better standards for infrastructure security, incident response procedures, and cross-protocol coordination. However, as defensive measures improve, nation-state actors like those attributed to North Korea continue to evolve their tactics, suggesting that the cat-and-mouse game between attackers and defenders in the cryptocurrency space will only intensify.
Sources
- https://www.cybersecuritydive.com
- https://www.databreachtoday.com
- https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
- https://thehackernews.com
- https://www.securityweek.com
- https://cybersecurityventures.com/intrusion-daily-cyber-threat-alert/
- https://www.darkreading.com/cyberattacks-data-breaches
- https://cyberscoop.com
- https://www.vectra.ai/topics/zero-day
- https://censinet.com/perspectives/zero-day-ai-machine-learning-catch-cyber-threats
- https://www.brightdefense.com/resources/zero-day-exploit-statistics/
- https://thehackernews.com/search/label/zero-day%20exploit
Leave a Comment