A recent breach resulting in the loss of approximately $292 million from KelpDAO’s cross-chain bridge has been preliminarily attributed to North Korea’s Lazarus Group, specifically its TraderTraitor subunit, according to LayerZero on Monday. The exploit involved draining 116,500 rsETH—a liquid restaking token backed by staked ether—from the KelpDAO bridge over a weekend incident, which triggered widespread withdrawals totaling more than $10 billion from the lending protocol Aave.
LayerZero identified the attack as characteristic of a highly sophisticated state actor, likely associated with DPRK’s Lazarus Group and its TraderTraitor subunit. North Korea’s cyber operations fall under the Reconnaissance General Bureau, encompassing several units including TraderTraitor, AppleJeus, APT38, and DangerousPassword, as per Samczsun from Paradigm.
TraderTraitor is recognized for being the most advanced DPRK group targeting cryptocurrency, having been previously connected to breaches at Axie Infinity Ronin Bridge and WazirX. LayerZero pointed out that KelpDAO utilized a single verifier for approving transfers on its bridge, despite repeated recommendations from LayerZero to implement multiple verifiers.
LayerZero has decided to cease validating messages for any applications using this single-verifier setup moving forward. The exploit revealed the vulnerability inherent in trusting a single verifier, described by Shalev Keren of Sodot as “a single point of failure” regardless of marketing terminology. According to Keren, no audit could have rectified the flaw without eliminating unilateral trust from the architecture.
Haoze Qiu from Grvt emphasized that Kelp DAO had adopted a bridge security setup with insufficient redundancy for such a substantial asset and noted LayerZero’s partial responsibility since “the compromise involved infrastructure related to its validator stack,” though it wasn’t classified as a core protocol bug. The attackers were only thwarted by three minutes before another $100 million could be drained, due to the rapid activation of a blacklist, as analyzed by Cyvers.
The attack exploited two communication channels used by the verifier for withdrawal verification on Unichain, feeding them false affirmations while disabling other lines to force reliance on these compromised ones. “The vault and guard were secure; it was the communication that was breached,” said Meir Dolev of Cyvers. While LayerZero implicated Lazarus as the likely perpetrator, Cyvers refrained from making a definitive attribution but noted similarities in sophistication, scale, and execution with DPRK-linked operations.
Dolev highlighted that the malicious software used for the attack self-erased post-operation to hide traces, and mentioned an Ethereum address where stolen funds might have been transferred. This was corroborated by ZachXBT’s separate report indicating transactions through Tornado Cash. Earlier this month, another $285 million was drained from Solana’s Drift protocol in a similar DPRK-linked exploit, illustrating the extensive planning and resources required for such attacks.