North Korea's Lazarus Group has been officially confirmed as the perpetrator of the $292 million Kelp DAO exploit — 2026's largest DeFi hack. LayerZero's post-mortem, published April 20, attributes the attack to the group's TraderTraitor subunit. The fallout has been catastrophic: $13.2 billion erased from DeFi total value locked within 48 hours, a $300 million emergency borrowing surge on Aave, and nine major protocols caught in the contagion.
What Happened: $292M Drained in 46 Minutes
Quick Answer: On April 18 at 17:35 UTC, Kelp DAO's LayerZero bridge was exploited for $292M via a single-validator (1-of-1 DVN) configuration flaw combined with a DDoS attack on RPC infrastructure. North Korea's Lazarus Group (TraderTraitor subunit) was officially confirmed on April 20. DeFi TVL subsequently dropped $13.2B within 48 hours.
At 17:35 UTC on April 18, attackers began draining Kelp DAO's cross-chain bridge. The root cause: Kelp had configured LayerZero with a single DVN (Decentralized Verifier Network) — a 1-of-1 validator setup — while simultaneously flooding Kelp's RPC infrastructure with DDoS traffic to suppress legitimate verification. This allowed the attacker to forge cross-chain messages and mint 116,500 rsETH tokens — approximately 18% of the 630,000 total circulating supply — without any backing collateral.
Kelp's team triggered an emergency pause at 18:21 UTC, 46 minutes after the exploit began. Two follow-up attacks each targeting approximately $100M were blocked at 18:26 and 18:28 UTC. Total confirmed losses: $292–293 million, making it the largest single DeFi exploit of 2026.
Ripple CTO Emeritus David Schwartz, who had evaluated DeFi bridging protocols during RLUSD due diligence, explained the systemic failure: "Bridge providers would pitch their most advanced security features prominently, then almost immediately suggest that those features were optional — and generally recommended not bothering to use the most important security mechanisms because they have convenience and operational complexity costs." (EdaFace, April 20)
Lazarus Group's $577M Two-Strike Campaign — 18 Days Apart
The Kelp DAO attack is Lazarus Group's second major DeFi strike in April alone. On April 1, the same unit hit Drift Protocol for $285 million. The two attacks, 18 days apart, total approximately $577 million — the largest short-interval two-hack haul ever attributed to a single actor in DeFi history. Total 2026 year-to-date crypto stolen has now surpassed $771 million, according to DL News.
| Incident | Date | Loss | Vector | Attribution |
|---|---|---|---|---|
| Kelp DAO | Apr 18, 2026 | $292M | LayerZero single-DVN exploit | Lazarus Group |
| Drift Protocol | Apr 1, 2026 | $285M | Cross-chain bridge | Lazarus Group |
| Wormhole | Feb 2, 2022 | $320M | Signature verification bypass | Unattributed |
TRM Labs Global Head of Policy Ari Redbord identified the structural failure: "When the security model of a $300 million issuer reduces to one validator's signing key, the attack surface stops being technical and becomes structural. The answer is diverse validator sets on messaging layers, real-time monitoring on mint and burn flows, fast-acting pauser multisigs, and cross-protocol playbooks that assume contagion." (DL News, April 20)
Aave's $300M Borrowing Surge and the Nine-Protocol Contagion
As rsETH — widely used as collateral across DeFi lending protocols — lost its peg, borrowers raced to defend leveraged positions, triggering a $300 million emergency borrowing surge on Aave. Aave TVL fell from $26.4B to $17.95B (−$8.45B), with 25% of all deposited assets withdrawn within 48 hours. Direct bad debt on Aave reached approximately $196M; combined cross-protocol bad debt across Aave, Compound, and Euler totaled $236M.
Aave founder Stani Kulechov moved quickly to contain panic: "The exploit was external and the protocol's contracts were not compromised." Fear spread regardless. Justin Sun, whose HTX exchange holds approximately $1.4B in USDT deposited on Aave, made a public appeal directly to the attacker: "Kelp DAO hacker, how much do you want? Let's talk. It's simply not worth it to sacrifice both Aave and Kelp DAO. You can't spend $300 million anyway." (DL News, April 19)
Nine protocols were caught in the fallout: Aave V3/V4, SparkLend, Fluid, Compound, Euler, Lido, Ethena, and Sentora all suffered meaningful TVL declines as rsETH-backed positions unwound. Follow SpotedCrypto's DeFi coverage for real-time protocol updates.
DeFi TVL Snapshot: $13.2B Erased in 48 Hours
| Metric | Pre-Hack | Apr 20, 20:00 KST | Change |
|---|---|---|---|
| Total DeFi TVL | $99.5B | $86.3B | −$13.2B |
| Aave TVL | $26.4B | $17.95B | −$8.45B |
| Aave Direct Bad Debt | — | ~$196M | New |
| Cross-Protocol Bad Debt | — | ~$236M | New |
| Fear & Greed Index | — | 29 / 100 (Fear) | ↓ |
Plume Network General Counsel Salman Banei captured the broader reputational damage: the exploit gives "a lot of ammo" to critics skeptical that smart contracts can safely replace traditional financial intermediaries. (Decrypt, April 20) Follow SpotedCrypto's Ethereum ecosystem analysis for ongoing coverage.
Market Data: BTC Holds $75K as Fear & Greed Hits 29
As of April 20 at 20:00 KST, markets reflect broad defensive positioning. On Binance, BTC trades at $75,041 (−0.23%, 24h) and ETH at $2,304 (−0.59%). Binance Futures show BTC nearly neutral at 50.1% long / 49.9% short with $7.1B open interest, while ETH longs dominate at 68.3% / 31.7% ($5.0B OI) — retail is positioned for a bounce. Funding rates are negative across majors: BTC at −0.0048%, ETH at −0.0014%, SOL at −0.0013%, indicating futures traders are hedged or leaning short. Total crypto market cap is $2.61 trillion with BTC dominance at 57.5%. On OKX, BTC confirms at $75,043; ORDI surged +9.75% and BASED spiked +30.6%, suggesting selective risk-on rotation into speculative assets even amid the broader fear environment.
| # | Coin | Price | 24h Change | Volume(24h) | High | Low |
|---|---|---|---|---|---|---|
| 1 | USDC | $1.00 | -0.01% | $2.2B | $1.00 | $1.00 |
| 2 | BTC | $75,041 | -0.23% | $1.1B | $76,240.66 | $73,724.31 |
| 3 | ETH | $2,304 | -0.59% | $657.1M | $2,350.24 | $2,252.72 |
| 4 | SOL | $85 | +0.12% | $217.3M | $87.12 | $82.94 |
| 5 | XRP | $1.41 | -0.59% | $141.6M | $1.45 | $1.39 |
| 6 | USD1 | $1.00 | -0.03% | $134.3M | $1.00 | $1.00 |
| 7 | DOGE | $0.09 | +0.71% | $101.9M | $0.10 | $0.09 |
| 8 | ZEC | $311 | -4.45% | $87.2M | $337.89 | $299.58 |
| 9 | 币安人生 | $0.46 | +19.87% | $81.7M | $0.48 | $0.38 |
| 10 | RLUSD | $1.00 | -0.04% | $76.8M | $1.00 | $1.00 |
| Coin | Funding Rate | Open Interest | Long/Short |
|---|---|---|---|
| BTC | -0.0048% | $7.1B | 50.1% / 49.9% |
| ETH | -0.0014% | $5.0B | 68.3% / 31.7% |
| SOL | -0.0013% | $770.3M | 73.2% / 26.8% |
| XRP | -0.0005% | $396.9M | 71.3% / 28.7% |
| DOGE | +0.0011% | $221.3M | 74.0% / 26.0% |
| BNB | +0.0036% | $337.8M | N/A |
| ADA | +0.0029% | $80.8M | N/A |
| AVAX | +0.0068% | $82.1M | N/A |
| DOT | +0.0037% | $44.7M | N/A |
| LINK | +0.0034% | $83.0M | N/A |
RAVE Token's 90% Crash: A Separate Manipulation Scandal
Separately from the Kelp DAO chaos, RaveDAO's RAVE token became the week's most dramatic collapse. After a +10,800% rally in just 9 days — from ~$0.25 on April 12 to an all-time high of $27.33 on April 17, where it topped Binance Alpha with a +1,349% weekly gain — RAVE crashed over 90% on April 19, falling to ~$1.15 and wiping approximately $5.7 billion in market cap.
On-chain investigator ZachXBT alleged a "bait and liquidate" manipulation scheme: roughly 90% of RAVE's 1 billion token supply was concentrated in three team-linked wallets, enabling coordinated activity that triggered $44M in short liquidations. ZachXBT offered a $25,000 whistleblower bounty for insider evidence. Binance Co-CEO Richard Teng responded: "We will always do our part to investigate all market misconduct." Bitget opened a parallel formal probe. Track developments on SpotedCrypto's trending tokens page.
Frequently Asked Questions
Are DeFi bridges safe to use after the Kelp DAO hack?
The Kelp DAO exploit was not caused by a smart contract bug but by a bridge configuration decision: using a 1-of-1 (single DVN) validator setup on LayerZero. Bridges that deploy multi-DVN configurations are significantly more resistant to this attack vector. Before using any cross-chain bridge, verify the number of active validators and check for recent independent security audits.
Can Lazarus Group's stolen funds be recovered?
Historically, Lazarus Group recoveries are rare. The 2022 Wormhole hack ($320M) resulted in minimal direct recovery. However, OFAC and major exchanges rapidly blacklist associated wallet addresses, limiting the attacker's ability to liquidate at scale. Partial freezes are possible, but full recovery is unlikely. See SpotedCrypto's security incident tracker for ongoing updates.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile. Always conduct your own research before making investment decisions.
Related Articles
- Kelp DAO $292M Exploit Crashes AAVE 17%, Four DeFi Protocols Frozen
- AXL Surges +11.85% While the Market Fears — Cross-Chain Infrastructure Leads Sector Rotation
- BIO Protocol Spikes +48% as DeSci Narrative Returns — ARB Token Unlock Risk Today
- Altcoin Season Index Hits 34 as ETH Whales Pull 120,000 Coins Off Exchanges
- WET Coin Surges +57% on Upbit — What's Behind the Pump?
