In less than three weeks, North Korea-associated hackers have executed a second significant attack on Kelp after initially targeting crypto trading firm Drift. This latest exploit involved manipulating the data within Kelp, a restaking protocol using LayerZero’s cross-chain infrastructure, indicating an evolution in their methods. Instead of merely seeking bugs or stolen credentials, these hackers are now exploiting foundational assumptions of decentralized systems.
The two incidents suggest a coordinated effort rather than isolated hacks, with North Korea intensifying its crypto theft operations. Alexander Urbelis, chief information security officer and general counsel at ENS Labs, emphasizes that this pattern is part of a deliberate strategy: “This is not a series of incidents; it is a cadence.” Over two weeks, more than $500 million was stolen through these exploits.
In the Kelp attack, rather than breaking encryption or keys, attackers manipulated inputs into the system. This caused the system to approve non-existent transactions due to reliance on compromised data. “The security failure is simple: a signed lie is still a lie,” Urbelis remarked. “Signatures guarantee authorship; they do not guarantee truth.” Essentially, the system verified who sent a message but did not check its accuracy.
David Schwed, COO of blockchain security firm SVRN, noted, “This attack wasn’t about breaking cryptography; it was about exploiting how the system was set up.” A significant issue was Kelp’s reliance on a single verifier for cross-chain messages. This setup is faster but lacks redundancy and safety. LayerZero now recommends multiple independent verifiers for transactions.
The repercussions of the Kelp exploit extend beyond its direct impact, affecting other DeFi systems due to shared assets. Schwed likens these assets to “a chain of IOUs,” where weaknesses in one link compromise others. Lending platforms like Aave that used the affected assets as collateral are now experiencing losses.
This incident highlights a discrepancy between the marketed and actual decentralization of such systems. Schwed argues, “A single verifier is not decentralized.” Urbelis further explains that decentralization involves choices throughout system design: “Decentralization is not a property a system has. It is a series of choices.”
Even seemingly decentralized systems can have vulnerabilities, especially in less visible layers like data providers or infrastructure. Lazarus, the group behind these attacks, is increasingly targeting cross-chain and restaking infrastructures—components critical to asset movement yet prone to misconfiguration.
The shift from focusing on exchanges to exploiting crypto’s “plumbing” suggests a strategic pivot towards complex systems that connect different platforms. The danger lies not in unknown vulnerabilities but in known ones left unaddressed, as these become easier and more costly to exploit. The Kelp incident underscores the ongoing exposure of the ecosystem to familiar weaknesses when security is considered optional rather than mandatory.