Trending

Lazarus Group's $292M Exploit Triggered a $15B Aave Collapse

North Korea's Lazarus Group drained $292M from Kelp DAO's LayerZero bridge on April 18, triggering a $15B Aave TVL collapse and $13.21B in DeFi contagion outflows — the worst DeFi crisis of 2026.

Spotedcrypto
by Spotedcrypto
Apr 23, 2026
6 min read
Kelp DAO DeFi bridge hack 292 million Aave TVL collapse Lazarus Group 2026 paper cut collage illustration

On April 18, 2026, North Korea's Lazarus Group executed the largest single DeFi attack of the year — draining 116,500 rsETH worth $292 million from Kelp DAO's LayerZero-powered cross-chain bridge. The fallout arrived within hours: $13.21 billion in total DeFi liquidity fled 20+ protocols inside 48 hours. Aave shed $15 billion in TVL across four days. April 2026 has now logged $606 million in losses from 12 hacks in 18 days — the worst month for crypto security since the Bybit $1.4 billion heist in February 2025.

How Lazarus Drained Kelp DAO's LayerZero Bridge

Quick Answer: Lazarus Group's TraderTraitor subcluster compromised 2 RPC nodes feeding Kelp DAO's LayerZero relayer, then launched a DDoS attack to force a failover. LayerZero's verifier approved a fraudulent cross-chain transaction — draining 116,500 rsETH ($292M), about 18% of total circulating supply.

Between April 18–19, attackers executed a two-stage operation. First, TraderTraitor compromised two RPC nodes that fed transaction data to the LayerZero relayer. Then a simultaneous DDoS attack forced the bridge into failover mode, opening a window in which LayerZero's verifier signed off on a fabricated cross-chain message. The bridge functioned exactly as architected — it simply trusted falsified inputs.

LayerZero confirmed the attribution in an official statement: "On April 18, 2026, KelpDAO was exploited for approximately $290 million. Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK's Lazarus Group, more specifically TraderTraitor."

An anonymous DeFi security researcher distilled the mechanics: "Attackers compromised nodes and fed the system a false version of reality. The bridge worked as designed. It just believed the wrong information." (CoinDesk, April 21, 2026)

The drained 116,500 rsETH represented roughly 18% of the token's 630,000-unit circulating supply — a shock large enough to immediately destabilize every DeFi market that accepted rsETH as collateral.

$15 Billion Gone — The Aave Contagion Effect

The $292 million drain was the trigger; Aave's $45.8 billion deposit base was the collateral damage. rsETH had been widely accepted as collateral across DeFi lending markets, and once the token's integrity was in question, mass withdrawals cascaded across the ecosystem. Aave v3's WETH market briefly hit 100% utilization — an acute signal of liquidity stress that sent depositors scrambling for exits.

Aave's total deposits fell from $45.8B to $30.8B in just four days. Potential bad debt from rsETH-backed positions is estimated between $123M and $230M, with roughly $196M concentrated in the rsETH/wETH collateral pair. Not all capital evaporated — SparkLend captured $1.3B in TVL as users rotated out of Aave.

Crypto analyst Altcoin Sherpa put the systemic stakes plainly: "AAVE is the backbone of DeFi, has billions in there, and pretty much every single new DeFi infrastructure on new chains is a fork of it. When AAVE has contagion risk, it shows the fragility of the entire system." (Invezz, April 21, 2026)

Polymarket traders price only 20% odds that Kelp DAO will socialize losses across all mainnet rsETH holders — suggesting targeted reimbursement, not ecosystem-wide dilution, remains the likely outcome. (CoinDesk, April 22, 2026)

MetricFigureNotes
Kelp DAO exploit size$292M116,500 rsETH drained (~18% of supply)
Aave TVL decline (4 days)$15B$45.8B → $30.8B
Aave potential bad debt$123M–$230MrsETH collateral exposure
Total DeFi TVL outflows (48h)$13.21B20+ protocols impacted
April 2026 Lazarus total$578MDrift ($285M) + Kelp ($292M)
SparkLend TVL inflow+$1.3BCapital rotation from Aave

Bridge Hacks: Four Years, Same Lazarus Playbook

1inch co-founder Sergej Kunz delivered the industry verdict: "Anything that can go wrong will go wrong, and bridge hacks are a perfect example. You see code vulnerabilities, centralization issues, social engineering, even economic attacks." (CoinDesk, April 21, 2026)

The pattern is grimly consistent. In March 2022, Lazarus Group hit the Ronin Bridge for $625M by compromising 5 of 9 validator keys. In February 2022, the Wormhole $320M exploit leveraged cross-chain signature verification flaws. The Kelp DAO attack evolved the method — RPC node compromise instead of validator key theft — but the root vulnerability remained identical: a trusted off-chain intermediary was deceived into approving fraudulent transactions. Four years of security upgrades, four years of the same outcome. The broader crypto industry has lost more than $17 billion to hacks over the past decade, with bridge infrastructure consistently the most targeted surface. SpotedCrypto's DeFi security coverage tracks this threat landscape as it evolves.

IncidentAmountDateAttack VectorAttribution
Kelp DAO Bridge$292MApr 2026RPC node compromise + DDoS failoverLazarus Group
Bybit Exchange$1.4BFeb 2025Hot wallet compromiseLazarus Group
Ronin Bridge$625MMar 2022Validator key theft (5/9)Lazarus Group
Wormhole Bridge$320MFeb 2022Signature verification exploitUnconfirmed

Live Market Snapshot — Binance & OKX, April 23, 14:00 KST

Broader markets are digesting the hack news with relative stability. As of April 23 at 14:00 KST, BTC trades at $77,924 on Binance (+0.54%) with $1.5B in 24-hour volume. OKX shows BTC at $77,915 — tight cross-exchange alignment. ETH sits at $2,348 on Binance (-0.66%) and $2,348 on OKX (-1.10%). Total market cap stands at $2.68T, BTC dominance at 58.1%, ETH dominance at 10.6%. The Fear & Greed Index reads 46 — Fear territory, but up 14 points from yesterday, suggesting the worst of the panic selling may be stabilizing.

Two outlier movers dominate volume: CHIP surged +55.1% to $0.095 with $445.1M in Binance volume (ranked #4), while SPK jumped +68.8% to $0.052 with $82.2M in volume. BIO Protocol continues its DeSci-driven rally on the back of AI integration upgrades — detailed in our BIO Protocol deep dive.

#CoinPrice24h ChangeVolume(24h)HighLow
1USDC$1.00-0.02%$2.7B$1.00$1.00
2BTC$77,924+0.54%$1.5B$79,472.82$77,450.00
3ETH$2,348-0.66%$925.7M$2,423.75$2,331.50
4CHIP$0.10+55.13%$445.1M$0.14$0.06
5SOL$86-1.29%$265.1M$89.32$85.48
6USD1$1.00+0.01%$169.6M$1.00$1.00
7XRP$1.42-1.85%$120.9M$1.46$1.41
8DOGE$0.10-0.34%$90.2M$0.10$0.10
9BNB$636-0.58%$88.0M$654.19$633.23
10SPK$0.05+68.81%$82.2M$0.06$0.03

The Binance perpetual futures picture is striking. BTC carries a negative funding rate of -0.0079% with $8.0B in open interest and a heavily skewed 35.7% long / 64.3% short ratio — roughly $180M in short positions clustered in the $77K–$78K resistance zone, creating meaningful short-squeeze risk. ETH funding is +0.0100% with $5.3B OI and a more balanced 58.1% / 41.9% long-short split. XRP holds the most aggressive bullish positioning: 70.5% long / 29.5% short with $393M OI. SOL longs dominate at 65.2% vs. 34.8% short with $797.5M OI. DOT carries a deeply negative funding rate of -0.0172%, signaling bearish consensus in that market.

CoinFunding RateOpen InterestLong/Short
BTC-0.0079%$8.0B35.7% / 64.3%
ETH0.0100%$5.3B58.1% / 41.9%
SOL0.0086%$797.5M65.2% / 34.8%
XRP-0.0029%$393.0M70.5% / 29.5%
DOGE0.0060%$283.3M72.0% / 28.0%
BNB0.0013%$339.3MN/A
ADA0.0035%$80.2MN/A
DOT-0.0172%$41.4MN/A
LINK0.0037%$82.9MN/A

What DeFi Investors Should Do Now

With $606M lost in 18 days and Aave's bad debt unresolved, here is how to reduce exposure:

  • Verify bridge audit status before use: Any LayerZero or cross-chain bridge should have a current, independent third-party security audit on record. No audit confirmation means unquantified risk.
  • Reduce LST collateral concentration: The rsETH collapse shows how liquid staking tokens carry hidden contagion vectors. Diversify collateral types across protocols and avoid heavy single-asset concentration in lending markets.
  • Track Aave bad debt resolution: The $123M–$230M rsETH bad debt overhang remains open. Monitor Aave governance decisions and Kelp DAO's reimbursement progress before re-entering leveraged positions.
  • Increase cold storage allocation: Hardware wallets eliminate bridge and protocol counterparty exposure. During periods of elevated exploit activity, minimizing hot wallet and bridge usage is the most direct form of protection available.

Stay current on DeFi security developments at SpotedCrypto. Our DeFi section tracks protocol-level risks and market structure shifts as they unfold.

FAQ

Is my rsETH at risk after the Kelp DAO hack?

rsETH held through native staking — not bridged through the compromised LayerZero contract — carries lower direct exposure. Kelp DAO is working through recovery and reimbursement options. Polymarket gives only 20% odds that losses will be socialized across all mainnet rsETH holders, suggesting targeted compensation is the more likely path. Monitor Kelp DAO's official channels before taking action.

Why do DeFi bridge exploits keep repeating despite years of warnings?

Cross-chain bridges require off-chain trust layers — validators, relayers, or RPC nodes — each of which is a potential single point of failure. The Ronin, Wormhole, and Kelp DAO exploits all share the same root cause: a trusted intermediary was compromised or deceived. As 1inch's Sergej Kunz noted, bridges face code vulnerabilities, centralization risks, and social engineering simultaneously. Fully trustless cross-chain architecture remains an unsolved problem in the industry.

Disclaimer: This article is for informational purposes only and does not constitute investment advice. All investment decisions are the sole responsibility of the reader.

Related Posts