LayerZero Post Mortem Shows Lazarus Group Stole $290M From KelpDAO via RPC Node Compromise

The Lazarus Group’s recent heist underscores a sophisticated evolution in blockchain attacks, moving beyond smart‑contract exploits to target the underlying data‑delivery layer. By hijacking two LayerZero RPC nodes, the attackers fed fabricated transaction data directly to the protocol’s verifier while maintaining normal responses for external observers. This dual‑mode malware allowed the perpetrators to bypass typical monitoring tools, and a coordinated DDoS on legitimate endpoints forced the verifier to trust the compromised nodes, culminating in the release of $290 million worth of unbacked rsETH. The self‑destruct mechanism further complicated forensic analysis, highlighting the attackers’ operational maturity.

The incident spotlights a critical architectural flaw in many DeFi projects: reliance on a single decentralized verifier (DVN). KelpDAO’s 1‑of‑1 DVN configuration, despite prior warnings, created a single point of failure that the attackers exploited. This breach serves as a cautionary tale for the broader ecosystem, emphasizing the need for multi‑verifier redundancy, diversified RPC providers, and rigorous node‑authentication protocols. Projects must also adopt continuous integrity checks that can detect inconsistencies between internal data feeds and external monitoring services.

Beyond technical lessons, the theft carries geopolitical weight. Lazarus Group, linked to North Korea’s cyber‑warfare apparatus, continues to fund state activities through high‑value crypto thefts. Their ability to infiltrate supply‑chain components suggests possible prior compromises of LayerZero’s own infrastructure or insider access. For regulators and institutional investors, the episode reinforces the urgency of implementing robust cyber‑risk frameworks, mandating third‑party audits, and fostering industry collaboration on threat intelligence sharing to mitigate future large‑scale DeFi exploits.