On Saturday, Apr. 18, a cross-chain bridge run by Kelp DAO quietly bled 116,500 rsETH. By Monday, LayerZero had a name for the attackers. Not a new one.
North Korea's Lazarus Group is no longer just a hacker label in crypto. It is the clearest proof that state-backed cyber operations turned digital assets into a strategic funding channel, where the industry's biggest breaches now look less like isolated bugs and more like long-cycle operational defeats.
- LayerZero attributes the Apr. 18, 2026 Kelp DAO exploit, worth roughly $292 million in Ether (eth) derivative tokens, to North Korea's Lazarus Group and its TraderTraitor subunit.
- Chainalysis says DPRK-linked actors stole $2.02 billion in crypto during 2025, lifting their cumulative haul to $6.75 billion.
- The pattern points to state-backed operational warfare rather than isolated smart-contract bugs as the sector's dominant security threat.
The Kelp hit, and why attribution matters
LayerZero pinned the Kelp DAO drain on a state actor in its Apr. 20 post-mortem. The statement called it the largest DeFi exploit of 2026 and flagged "a highly-sophisticated state actor, likely DPRK's Lazarus Group, more specifically TraderTraitor."
The mechanism was not a smart-contract bug. Attackers compromised two remote procedure call nodes used by LayerZero's Decentralized Verifier Network, then ran a denial-of-service flood against the clean nodes to force a failover to the poisoned ones.
That left Kelp's so-called 1-of-1 verifier setup rubber-stamping a fraudulent cross-chain message, and the bridge released 116,500 rsETH to the attacker.
Kelp paused core contracts through its emergency multisig roughly 46 minutes later, blocking two follow-up drain attempts worth another $100 million.
Kelp publicly disputed LayerZero's framing, saying the single-verifier configuration reflected LayerZero's own documented default, not defiance of explicit advice.
Attribution is what turns this from a patch-and-move-on incident into something else. A bug invites a fix. A state actor invites a permanent adversary.
Also Read: Why Aave Is Trending Again And What The $577M Daily Volume Means For DeFi
Who Lazarus actually is
The FBI placed the TraderTraitor cluster inside North Korea's state cyber apparatus in its Feb. 26, 2025 advisory on the Bybit theft, naming it as the direct operator of a $1.5 billion virtual-asset heist.
Reuters reporting in 2022 and repeated U.S. Treasury sanctions earlier tied Lazarus, Bluenoroff and Andariel to the Reconnaissance General Bureau, Pyongyang's primary military-intelligence agency.
Inside that structure, analysts track a rotating set of aliases, APT38, Hidden Cobra, Diamond Sleet, Jade Sleet, Slow Pisces, TraderTraitor, which often share personnel and infrastructure.
The consequence for crypto is blunt.
When a breach gets attributed to "Lazarus," it is not a teenager in a basement, and it is rarely a lone contractor. It is a state unit with a budget, a mandate and a patience horizon measured in years, not weeks.
That changes what counts as a credible defense. It also changes who, at the end of the laundering chain, ultimately benefits.
Also Read: NSA Runs Anthropic's Mythos AI Despite Pentagon's Supply-Chain Risk Label
From Sony to smart contracts
Lazarus did not start in crypto. It announced itself with the 2014 Sony Pictures wiper, then the 2016 Bangladesh Bank SWIFT heist, then WannaCry in 2017.
Crypto came next, and fast.
South Korea's National Intelligence Service told the Associated Press in December 2022 that North Korean hackers had stolen an estimated $1.2 billion in virtual assets over five years.
A U.N. Panel of Experts report revealed 58 suspected DPRK cyberattacks between 2017 and 2023, worth roughly $3 billion and feeding Pyongyang's weapons-of-mass-destruction programs.
Chainalysis's latest figures push that cumulative line higher: $6.75 billion in DPRK-linked crypto theft identified to date, with $2.02 billion taken in 2025 alone.
The trajectory is the story. Each year brings fewer incidents but larger ones. The industry got richer, the targets got bigger, and Lazarus scaled right alongside.
Also Read: Bitcoin ETF Demand Fuels $1.4B Weekly Inflow, Second-Best Since January
The biggest Lazarus-linked heists
Treasury updated its Lazarus sanctions with wallet addresses tied to the Mar. 2022 Ronin Bridge drain, pinning roughly $625 million in losses on DPRK actors.
A short list captures the scale:
- Ronin Network, Mar. 2022: roughly $625 million drained from the Axie Infinity sidechain bridge, attributed to Lazarus by the U.S. Treasury's OFAC weeks later.
- Harmony Horizon, Jun. 2022: about $100 million stolen, formally pinned on Lazarus and APT38 by the FBI in Jan. 2023.
- WazirX, Jul. 2024: roughly $235 million lifted from the Indian exchange in a multisig compromise widely attributed to DPRK-linked actors.
Then came the breakthrough year.
DMM Bitcoin lost 4,502.9 Bitcoin (btc), worth about $308 million at the time, in May 2024. The FBI, Department of Defense and Japan's National Police Agency confirmed the TraderTraitor link in December, describing a recruiter-themed lure that compromised a wallet-software vendor and ended in a manipulated withdrawal.
Bybit, in Feb. 2025, was the peak.
An attacker masked the signing interface during a routine cold-wallet transfer and redirected about 400,000 Ether, worth roughly $1.5 billion, to an unknown address.
Chainalysis now places that single incident at $1.5 billion of the $3.4 billion stolen industry-wide in 2025. Kelp, at $292 million, is the latest chapter, not the loudest. It is what a mature operation looks like when it has stopped needing spectacle.
Also Read: Strategy Buys $2.5B In Bitcoin, Its Biggest Haul In 16 Months
The Lazarus playbook has shifted
The FBI and Japan detailed the new Lazarus template in their joint DMM Bitcoin advisory. The old picture of Lazarus as a phishing shop is obsolete.
A hacker posed as a LinkedIn recruiter. A fake pre-employment test planted a malicious Python script on the personal GitHub of an engineer at Ginco, a wallet-software vendor. Stolen session cookies unlocked Ginco's internal chat, and weeks later a legitimate DMM transaction request was silently rewritten in flight.
At Bybit, Safe{Wallet} confirmed that malware-modified signing applications displayed the correct destination while altering smart-contract logic underneath. At Kelp, LayerZero says attackers swapped binaries on the very RPC nodes a verifier was trusting, engineered to self-destruct and wipe local logs after use.
The common thread is that the code is rarely the vulnerability. The people, the vendors, the build pipelines and the infrastructure hosts are.
Chainalysis has also flagged a parallel channel: DPRK operatives embedding inside crypto companies as remote IT workers under fake identities, sometimes using collaborators sourced through Upwork and Freelancer to scale.
Also Read: Bitget Unveils Project Ulysses, Offers $3M Interest-Free Credit To 50 Institutional Clients
Why Lazarus keeps coming back to crypto
North Korea's motive is economic survival, not ideology.
AP and U.N. reporting consistently describe crypto theft as a replacement income stream for a sanctioned economy and as direct funding for ballistic missile and nuclear programs.
U.S. officials cited by AP have gone further, estimating that cybercrime now accounts for close to half of North Korea's foreign-currency earnings.
Crypto happens to be the near-perfect target for that mission. Transactions settle with finality in minutes, not days, so there is no correspondent bank to reverse them. Liquidity is deep, pseudonymity is cheap, and cross-chain rails move value faster than any enforcement body can freeze it.
Yahoo Finance noted, citing LayerZero's own timeline on Kelp, that the attacker consolidated roughly 74,000 Ether after the drain and had pre-funded wallets through Tornado Cash about ten hours before striking.
For a government weighing a bank heist against a bridge heist, the bridge wins every time.
Also Read: One Company Now Owns 4% Of All Ethereum, Bitmine Adds 101,627 ETH In A Week
What the onchain investigators actually added
Arkham credited pseudonymous sleuth ZachXBT with "definitive proof" tying the Bybit exploit to Lazarus through test transactions, connected wallets and timing analyses, in its Feb. 21, 2025 bounty post.
Five days later, the FBI's public service announcement formally named North Korea, using the TraderTraitor tag and publishing wallet blocklists.
The order matters. Onchain sleuths such as ZachXBT have often been among the first to publicly connect major breaches to Lazarus-linked wallets and laundering patterns, sometimes ahead of official confirmation.
They are not the core source of truth. They are an early public attribution layer that accelerates exchange-level response while federal agencies run slower, evidentiary-grade processes.
That division of labor is new. It is also load-bearing, because once stolen funds start bouncing across chains, the only question is how quickly addresses get flagged.
Also Read: RaveDAO Jumps 62% In A Day, But Volume Now Exceeds Its Entire Market Cap
Why the industry still loses these fights
Most crypto security debates still center on code audits. Lazarus does not care about audits.
The attack surface that actually matters is operational. It includes third-party signing tools, wallet vendors, node infrastructure, recruiter pipelines, build systems and a handful of humans with privileged access. Every one of those was live in at least one Lazarus-linked breach in the last two years.
Chainalysis reports a second structural problem, where the laundering cycle has been refined into a roughly 45-day, three-wave pattern that pushes stolen funds through mixers, cross-chain bridges and Chinese-language OTC networks, moving tranches in chunks often kept under $500,000 to avoid tripping monitoring.
Industry response remains fragmented. Exchanges blacklist at different speeds. Some DeFi protocols pause, others do not.
A Dune analysis after the incident found that 47% of active LayerZero OApps were still running 1-of-1 DVN setups.
The defender has to win every week. Lazarus only has to win once a quarter.
Also Read: LayerZero, Aave, Monad All Sliding: What's Driving The DeFi Pullback Tonight
What Kelp signals about the next phase
The uncomfortable takeaway from Kelp is that even after Bybit, the gap between code security and operational security is still wide.
Bybit was a signing-interface compromise with a $20 billion balance sheet behind it. Kelp was an infrastructure-layer compromise against a mid-sized liquid restaking protocol.
Same actor cluster, different attack vector, eighteen days apart from the earlier Drift Protocol drain of roughly $285 million also linked to DPRK operatives.
That cadence is the point. Lazarus is iterating its playbook faster than DeFi teams are hardening their dependencies, and each successful hit funds the next round of recruiting, tooling and patience.
The Hacker News reported that DPRK-linked actors accounted for 59% of all crypto stolen globally in 2025, which underscores how central this adversary has become to sector losses.
Config choices like single-verifier setups, unaudited node operators and shared wallet software are no longer minor risk items. In a world where the adversary is a state, they are the main event.
Also Read: C1 Fund Books 150% Return On Ripple Investment In Less Than Four Months
Conclusion
Lazarus is the proof point that crypto's biggest security failures are now geopolitical, financial and infrastructural at the same time.
Ronin, Harmony, WazirX, DMM Bitcoin, Bybit and now Kelp do not form a list of unrelated accidents. They form a campaign, run by a sanctioned government against an industry that still underestimates what a persistent nation-state adversary looks like.
The next Kelp is already being planned. The question is whether the industry treats it as a bug report or as a front line.
Read Next: Crypto Futures Wipeout: $197M Liquidated As BTC Climbs Above $76K
FAQ
What happened in the Kelp DAO hack?
On Apr. 18, 2026, attackers drained 116,500 rsETH, worth roughly $292 million, from a cross-chain bridge operated by Kelp DAO. The exploit did not target a smart-contract bug. Instead, attackers compromised two remote procedure call nodes used by LayerZero's Decentralized Verifier Network, then forced a failover so a poisoned node rubber-stamped a fraudulent cross-chain message. Kelp's emergency multisig paused core contracts 46 minutes later, blocking two follow-up drain attempts worth another $100 million combined.
Who is the Lazarus Group?
Lazarus is the umbrella label for North Korean state-linked cyber actors, tied by the U.S. Treasury and the FBI to the Reconnaissance General Bureau, Pyongyang's primary military-intelligence agency. Analysts track several subclusters and aliases under the same umbrella, including TraderTraitor, APT38, Bluenoroff, Andariel, Hidden Cobra, Diamond Sleet, Jade Sleet and Slow Pisces. These clusters often share infrastructure and personnel.
Why did LayerZero attribute the Kelp exploit to Lazarus?
LayerZero's post-mortem pointed to the attacker's tradecraft and wallet behavior as hallmarks of a state actor, specifically the TraderTraitor subunit of Lazarus. Pre-funding through Tornape Cash roughly ten hours before the attack, the use of self-destructing binaries on compromised infrastructure and the post-drain consolidation of about 74,000 Ether all match patterns documented in earlier DPRK-linked exploits.
How much crypto has North Korea stolen in total?
Chainalysis identifies $6.75 billion in DPRK-linked crypto theft to date. Of that, $2.02 billion was stolen in 2025 alone, which accounted for roughly 59% of all crypto stolen globally that year. Earlier reporting by South Korea's National Intelligence Service put the five-year total through 2022 at an estimated $1.2 billion, while a U.N. Panel of Experts investigated 58 suspected DPRK cyberattacks between 2017 and 2023 worth around $3 billion.
What is TraderTraitor?
TraderTraitor is a Lazarus subcluster that specializes in crypto industry targets. Its signature move is social engineering against technical staff, often through fake recruiter pitches on LinkedIn, malware-laced pre-employment tests and compromise of wallet software vendors or signing infrastructure. The FBI, Department of Defense and Japan's National Police Agency formally named TraderTraitor in the $308 million DMM Bitcoin theft, and the FBI later named it again as the operator of the $1.5 billion Bybit heist.
What are the biggest Lazarus-linked crypto hacks?
The largest publicly attributed incidents include Ronin Network in Mar. 2022 at roughly $625 million, Harmony Horizon in Jun. 2022 at about $100 million, WazirX in Jul. 2024 at roughly $235 million, DMM Bitcoin in May 2024 at about $308 million, Bybit in Feb. 2025 at roughly $1.5 billion and Kelp DAO in Apr. 2026 at about $292 million.
How does Lazarus launder stolen crypto?
Chainalysis describes a refined roughly 45-day, three-wave laundering cycle. Stolen funds move through mixers, cross-chain bridges and Chinese-language OTC networks, often split into tranches kept under $500,000 to avoid tripping monitoring thresholds. The goal is to outrun exchange blocklists and onchain analytics before funds hit cash-out venues.
Why does North Korea target crypto?
Crypto theft functions as a sanctions-evasion income stream for Pyongyang's isolated economy and as direct funding for its ballistic missile and nuclear programs, according to U.N. Panel of Experts reporting and U.S. officials cited by AP. U.S. estimates suggest cybercrime now accounts for close to half of North Korea's foreign-currency earnings. Crypto rails suit the mission because transactions settle with finality in minutes and cannot be reversed by a correspondent bank.
Who is ZachXBT and what role did he play?
ZachXBT is a pseudonymous onchain investigator whose public attribution work has repeatedly preceded formal government confirmation. In the Bybit case, Arkham's Feb. 21, 2025 bounty post credited him with the transaction-linking analysis that tied the exploit to Lazarus, five days before the FBI formally named North Korea. Onchain sleuths like ZachXBT form an early public attribution layer, not a replacement for federal investigators, but a faster one for exchange-level response.
Can the crypto industry stop Lazarus?
Not with code audits alone. The attack surface that matters is operational, including third-party signing tools, wallet vendors, node infrastructure, recruiter pipelines and build systems. A Dune analysis after the Kelp incident found that 47% of active LayerZero OApps were still running 1-of-1 verifier setups, which is the exact configuration that enabled the Kelp exploit. Hardening that layer, across vendors, infrastructure hosts and human access, is where defensive gains are now concentrated.
Is Kelp DAO safe to use now?
Kelp paused core contracts through its emergency multisig within 46 minutes of detection, which blocked two additional drain attempts. Users should check Kelp's and LayerZero's official incident channels for the current contract status, any recovery or reimbursement program and updated verifier configurations before resuming activity.
What is the difference between Lazarus and TraderTraitor?
Lazarus is the umbrella. TraderTraitor is a specialized subcluster inside that umbrella, focused on crypto industry targets and known for social engineering against engineers and wallet-software vendors. When the FBI attributes an attack specifically to TraderTraitor, it is naming the operational unit, not just the broader state-linked ecosystem.