A poisoned RPC node tricked LayerZero's verifier network into rubber-stamping a fraudulent cross-chain message — draining 116,500 rsETH in under an hour and handing North Korea its second nine-figure score in three weeks.
Kelp DAO, the liquid restaking protocol behind rsETH, confirmed this week that a North Korean hacking crew made off with roughly $292 million after compromising the off-chain infrastructure that feeds LayerZero's Decentralized Verifier Network. It is now the largest DeFi exploit of 2026 — and the second multi-hundred-million-dollar heist pinned on Lazarus Group's TraderTraitor subunit in under three weeks.
| Metric | Value |
|---|---|
| Total value stolen | ~$292 million (116,500 rsETH) |
| Share of circulating rsETH | ~18% |
| Time from first tx to pause | 46 minutes |
| Follow-on attempts blocked | ~$100 million |
| Attributed threat actor | TraderTraitor (Lazarus subgroup) |
| rsETH depeg low | 0.78 ETH (stabilized ~0.94 ETH) |
Attackers quietly took over two RPC nodes serving LayerZero's DVN, then forced a failover so that a poisoned node ended up signing a fraudulent cross-chain instruction. Kelp's bridge contract, believing the message had been legitimately verified, released 116,500 rsETH to an attacker-controlled address on Arbitrum. The tempo of the drain was as striking as the size: $265 million moved in the first thirty minutes.
"This was not a smart-contract bug. It was a failure of the operational layer around the protocol. And it is, unfortunately, exactly the attack surface we have been warning about for two years."
— Bryan Pellegrino, Founder, LayerZero Labs"Most bridges are still judged by the quality of their Solidity. The attackers stopped caring about Solidity a long time ago."
— Tom Robinson, Chief Scientist, EllipticKelp was running with a low-threshold DVN configuration that allowed a single compromised RPC-backed node to push a message through. This is precisely the kind of operational gap that pre-signature intelligence is designed to close. A policy engine with a rule requiring multi-DVN consensus before any bridge release above a configurable threshold — enforced at the pre-signature stage — would have flagged the single-node approval as a policy violation and blocked the transaction before it became irreversible. Web3Firewall's real-time transaction monitoring evaluates exactly these signals, including anomalous RPC behavior, single-source verification attempts on high-value cross-chain messages, and zero-history wallet destination addresses. The Kelp drain was not technically inevitable. It was a policy gap.
rsETH briefly depegged to 0.78 ETH before stabilizing. Aave, SparkLend, Fluid and Upshift all froze rsETH collateral markets within hours, stranding hundreds of millions in user positions across 20 chains.
"It is effectively a system-wide margin call against every protocol that treated rsETH as money-good."
— Sid Powell, CEO, Maple FinanceReal crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.