Live Wire
11:57ZFRONTLINEIArtificial Intelligence | Is Andhra Pradesh’s data centre push a recipe for disaster?Ayesha Minhazhttps://fro…11:57ZWFWITNESSA cardboard cutout of Iranian Supreme Leader Mojtaba Khamenei was spotted at the Tel-Aviv Pride Parade.11:56ZTHECANARYU12 June 2026📰 Skwawkbox: Labour pushing bill to legalise ‘dark money’ political briberyKeir Starmer’s Labour…11:56ZWARTRANSLAUkrainian Steel Border Brigade border guards eliminated three Russian loiter drones, a ground robot, howitzer…11:53ZBRICSNEWSNetanyahu said Iran would not possess a nuclear weapon as long as he remains in office11:53ZINDIANEXPRMan wins 19,700 rupees from Reliance Jio for slow internet speed11:53ZINDIANEXPRCentre mulls policy to aid CBSE students in West Asia amid war disruptions via The Indian Express https://ift…11:53ZINDIANEXPRSanjay Raut: ‘Leaders like Sharad Pawar, Mamata, KCR who left the Congress should unite, make the party stron…11:57ZFRONTLINEIArtificial Intelligence | Is Andhra Pradesh’s data centre push a recipe for disaster?Ayesha Minhazhttps://fro…11:57ZWFWITNESSA cardboard cutout of Iranian Supreme Leader Mojtaba Khamenei was spotted at the Tel-Aviv Pride Parade.11:56ZTHECANARYU12 June 2026📰 Skwawkbox: Labour pushing bill to legalise ‘dark money’ political briberyKeir Starmer’s Labour…11:56ZWARTRANSLAUkrainian Steel Border Brigade border guards eliminated three Russian loiter drones, a ground robot, howitzer…11:53ZBRICSNEWSNetanyahu said Iran would not possess a nuclear weapon as long as he remains in office11:53ZINDIANEXPRMan wins 19,700 rupees from Reliance Jio for slow internet speed11:53ZINDIANEXPRCentre mulls policy to aid CBSE students in West Asia amid war disruptions via The Indian Express https://ift…11:53ZINDIANEXPRSanjay Raut: ‘Leaders like Sharad Pawar, Mamata, KCR who left the Congress should unite, make the party stron…
Markets
S&P 500743.05 0.72%Nasdaq25,810 2.54%Nasdaq 10029,446 3.29%Dow513.54 0.82%Nikkei92.71 0.57%China 5035.28 1.06%Europe89.46 0.00%DAX42.27 0.00%BTC$63,741 1.08%ETH$1,673 0.44%BNB$606.64 1.03%XRP$1.14 1.66%SOL$66.89 1.62%TRX$0.312 2.95%DOGE$0.0868 1.78%HYPE$59.3 4.18%LEO$9.52 0.44%RAIN$0.0131 1.31%QQQ$721.62 0.63%VOO$683.22 0.74%VTI$367.1 0.77%IWM$293.2 0.96%ARKK$76.19 0.97%HYG$79.98 0.05%Gold$386.8 0.12%Silver$60.9 0.13%WTI Crude$126.25 2.00%Brent$48.33 1.63%Nat Gas$11.07 0.81%Copper$39.08 0.36%EUR/USD1.1537 0.00%GBP/USD1.3364 0.00%USD/JPY160.54 0.00%USD/CNY6.7774 0.00%S&P 500743.05 0.72%Nasdaq25,810 2.54%Nasdaq 10029,446 3.29%Dow513.54 0.82%Nikkei92.71 0.57%China 5035.28 1.06%Europe89.46 0.00%DAX42.27 0.00%BTC$63,741 1.08%ETH$1,673 0.44%BNB$606.64 1.03%XRP$1.14 1.66%SOL$66.89 1.62%TRX$0.312 2.95%DOGE$0.0868 1.78%HYPE$59.3 4.18%LEO$9.52 0.44%RAIN$0.0131 1.31%QQQ$721.62 0.63%VOO$683.22 0.74%VTI$367.1 0.77%IWM$293.2 0.96%ARKK$76.19 0.97%HYG$79.98 0.05%Gold$386.8 0.12%Silver$60.9 0.13%WTI Crude$126.25 2.00%Brent$48.33 1.63%Nat Gas$11.07 0.81%Copper$39.08 0.36%EUR/USD1.1537 0.00%GBP/USD1.3364 0.00%USD/JPY160.54 0.00%USD/CNY6.7774 0.00%
CLOSEDNYSEopens in 1h 30m
themonexus.
Vol. I · No. 163
Friday, 12 June 2026
11:59 UTC
  • UTC11:59
  • EDT07:59
  • GMT12:59
  • CET13:59
  • JST20:59
  • HKT19:59
← back to Saturday edition◉ LIVE ON THE WIREfollow this thread in real time
Asia

LayerZero Links $290M KelpDAO Hack to North Korea's Lazarus Group

LayerZero has preliminarily attributed the $290 million KelpDAO exploit to North Korea's Lazarus Group, describing the attack as a sophisticated RPC poisoning operation that exploited a single-verifier setup Kelp had been warned against.
By Monexus Staff Writerasia5-minute read20 Apr 2026☆ Save↗ Share⎙ Print
LayerZero has preliminarily attributed the $290 million KelpDAO exploit to North Korea's Lazarus Group, describing the attack as a sophisticated RPC poisoning operation that exploited a single-verifier setup Kelp had been warned against.
LayerZero has preliminarily attributed the $290 million KelpDAO exploit to North Korea's Lazarus Group, describing the attack as a sophisticated RPC poisoning operation that exploited a single-verifier setup Kelp had been warned against. / TechCrunch / Photography

On 20 April 2026, LayerZero confirmed what blockchain analysts had suspected for days: the $290 million extraction from KelpDAO's liquidity pools on 18 April was the work of a sophisticated adversary operating with the resources and tradecraft of a nation-state. Preliminary indicators, the protocol said, pointed to North Korea's Lazarus Group, the prolific cyber-actor tied to multiple billion-dollar crypto drains over the preceding decade. The attack vector was not a novel smart contract bug. It was older, simpler, and, according to LayerZero's technical account, entirely preventable.

The exploit succeeded because KelpDAO had relied on a single verifier node rather than the multi-verifier architecture LayerZero had explicitly recommended as standard practice for high-value deployments. Attackers compromised two RPC nodes the company's verifier depended on and launched a distributed denial-of-service strike against the remaining infrastructure, rendering the verification system inoperable. With no way to confirm transaction validity, the protocol's front-end interface was manipulated into approving fraudulent asset transfers. The $290 million figure represents one of the largest single exploits in decentralized finance history, and the attribution — if confirmed — would mark a significant escalation in the Lazarus Group's targeting of cross-chain messaging infrastructure.

The Technical Anatomy of an Avoidable Loss

LayerZero's preliminary account paints a picture of an attack that required precision but not innovation. RPC poisoning — redirecting a node's remote procedure calls to a malicious endpoint — is a known attack surface in blockchain environments. The method works because some applications trust RPC responses without additional validation. When combined with a DDoS component that severs access to honest nodes, the attacker can feed the compromised interface whatever data serves the exploit.

What makes this case notable is the target surface. KelpDAO operated as a cross-chain liquidity protocol, meaning its exposure is not limited to a single blockchain ecosystem. Exploits on bridges and messaging layers can cascade across multiple chains simultaneously. LayerZero's omnichain architecture, designed to facilitate messaging between disparate blockchain environments, creates a concentrated point of failure: if the verification layer is compromised, every connected chain is potentially exposed.

The sources do not specify whether KelpDAO had received direct warnings from LayerZero about its single-verifier setup prior to the exploit. LayerZero confirms the protocol ignored multi-verifier recommendations, but the timing and specificity of those recommendations — whether they were general security guidance or incident-specific alerts — remains unclear from the public record.

Attribution and Its Limitations

Attribution in blockchain exploits is a fraught exercise. Wallet addresses can be traced on-chain, but connecting those addresses to human operators requires either Chainalysis-pattern blockchain forensics, intelligence-gathering from state actors, or voluntary disclosures from exchanges that process the resulting laundered funds. LayerZero's preliminary identification of the Lazarus Group carries weight because the protocol operates across multiple jurisdictions and has relationships with compliance-oriented infrastructure providers who would flag north Korean wallet patterns.

That said, preliminary attribution is not confirmed attribution. The Lazarus Group has previously been misidentified in the immediate aftermath of exploits, only for subsequent forensic analysis to complicate or reverse the initial narrative. Monexus has reached out to LayerZero for clarification on the evidentiary basis for the Lazarus attribution and whether any independent blockchain forensic firms have independently corroborated the link. This publication had not received a response at time of writing.

There is also the question of deniability. The Lazarus Group operates at the pleasure of the North Korean state, and the regime has an established pattern of using cyber proceeds to fund sanctioned programs. If the attribution holds, it would be the third major cross-chain exploit attributed to the group in eighteen months — suggesting either escalating operational ambition or a deliberate strategy to target infrastructure where security practices have not kept pace with the value flowing through them.

The Cross-Chain Security Reckoning

The KelpDAO exploit arrives at a moment of acute scrutiny for cross-chain messaging protocols. These layers — which include LayerZero, Wormhole, Hyperlane, and a handful of competitors — are the connective tissue of an increasingly fragmented DeFi landscape. Without them, assets cannot move fluidly between Ethereum, Solana, Arbitrum, and dozens of other chains. The protocols are essential infrastructure, yet their security assumptions have not always evolved at the same rate as the capital flows they enable.

The structural pattern here is not unique to crypto. Concentrated infrastructure with dispersed users is precisely the topology that sophisticated adversaries target. A single point of failure in a critical messaging layer creates exposure that individual users — or even individual protocols — cannot independently defend against. The multi-verifier recommendation LayerZero advocates is functionally similar to redundancy requirements in traditional financial market infrastructure: if one data center fails, others must be available to prevent settlement failures.

That KelpDAO opted for a simpler, cheaper single-verifier setup is understandable from a business perspective. Multi-verifier configurations add latency and cost. But the exploit demonstrates that the premium for simplicity, in this case, was catastrophic. The question now confronting every protocol building on cross-chain messaging infrastructure is whether they have made the same tradeoff — and whether their users are aware of the risk.

Stakes and the Road Ahead

If the Lazarus attribution is confirmed, the KelpDAO exploit will reshape how the DeFi ecosystem thinks about cross-chain security. Regulators in the United States, European Union, and United Kingdom have been increasing pressure on bridge and messaging protocols to implement stronger know-your-customer and anti-money laundering controls — controls that, ironically, might have flagged the wallets involved before the drain was completed. The exploit gives those regulatory arguments additional momentum.

For LayerZero, the immediate stakes are reputational and commercial. The protocol's architecture has been validated by the scale of its adoption, but an exploit of this magnitude — even one technically consistent with the company's own security guidance — creates pressure to either demonstrate that the fault lies entirely with KelpDAO's implementation choices or to acknowledge that the messaging layer itself requires hardening. The former is LayerZero's current position. Whether the market accepts it will depend on how the forensic picture develops over the coming weeks.

The sources do not yet specify the full list of chains affected, the total unique wallet count of impacted users, or whether any of the stolen funds have been frozen or recovered through exchange cooperation. Those details will arrive as blockchain analytics firms complete their on-chain analysis. What is clear from LayerZero's 20 April statement is that the exploit was not the product of an obscure vulnerability — it was an attack that worked because basic protective architecture was absent. In a space that often treats smart contract audits as the sum total of security, that distinction matters.

Wire provenance

This editorial synthesis draws on the following public wire/social posts:

  • https://t.me/Cointelegraph/136689
© 2026 Monexus Media · reported from the wire