An investigation suggests that state-sponsored North Korean hackers orchestrated the $290 million crypto theft that impacted the KelpDAO DeFi project over the weekend.
Additionally, other lending protocols like Compound, Euler, and Aave were affected by the attack. Aave has implemented a freeze on new deposits or borrowing using rsETH as collateral.
KelpDAO operates as a decentralized finance (DeFi) project focusing on liquid restaking within the Ethereum network. It allows users to deposit ETH, which is then restaked to generate a liquid token known as ‘rsETH.’
The rsETH token is designed to enable users to continue earning restaking yield while being compatible with various DeFi platforms, including cross-chain functionality through LayerZero.
On April 18, KelpDAO detected suspicious cross-chain activity involving rsETH, prompting a temporary pause on rsETH contracts across Ethereum mainnet and L2s.
The project initiated an inquiry in collaboration with LayerZero, Unichain, and other partners.
.png)
Blockchain analysis revealed the theft of approximately 116,500 rsETH, valued at around $293 million in USD, which was then laundered through Tornado Cash.
LayerZero shared further details indicating that the attack targeted the verification layer (DVN) for validating cross-chain messages related to rsETH.
The attackers compromised certain RPC nodes used by the verifier to manipulate blockchain data and orchestrated DDoS attacks on other nodes to ensure reliance on the compromised ones.
This manipulation allowed fake cross-chain messages to be accepted, facilitating unauthorized transfers of rsETH.
Initial assessments point to the highly sophisticated state actor, likely DPRK’s Lazarus Group, particularly TraderTraitor, being responsible for the heist.
The incident was confined to rsETH, with no widespread impact on other applications or assets.
While the KelpDAO breach stands out as a significant loss this year in terms of the stolen amount, the Lazarus Group was also implicated in another substantial theft of $280 million from the Drift Protocol.
A detailed investigation revealed that the Drift Protocol attack involved a meticulously planned operation spanning six months, including agents infiltrating conferences and making large deposits into the project.
AI combined four zero-day vulnerabilities into a single exploit to bypass both renderer and OS sandboxes. Stay vigilant for upcoming exploits.
Learn more about autonomous validation at the Autonomous Validation Summit (May 12 & 14). Discover how context-rich validation identifies vulnerabilities, verifies controls, and completes the remediation process.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
