LayerZero: KelpDAO Incident Limited to rsETH App Setup, Protocol Unaffected

LayerZero Labs said KelpDAO has suffered losses of about $290 million following an attack it believes is linked to the Lazarus Group, specifically its TraderTraitor subgroup, which has ties to North Korea, according to Huoxing Finance. LayerZero said the attackers compromised the downstream RPC infrastructure used by KelpDAO's decentralized verification network (DVN). By taking control of certain RPC nodes and coordinating DDoS activity, the threat actors forced the system to route to malicious nodes and then fabricated crosschain transactions. The affected RPC nodes have been taken offline and replaced, and DVN operations have resumed. LayerZero said the impact was confined to KelpDAO's rsETH application configuration and did not affect any other assets or applications. The company attributed the scope of the incident to KelpDAO's use of a singleDVN (1/1) design at the time. LayerZero said KelpDAO had not adopted the multiDVN redundancy approach it has long recommended, leaving no independent verification nodes in place to flag forged messages. LayerZero stressed its protocol had no vulnerability and said applications configured with multiDVN were unaffected, adding that it sees no systemic contagion risk. The company said it will speed up the migration of projects still running singleDVN configurations to multiDVN architectures and has suspended signature and verification services for 1/1-configured applications. LayerZero added it is working with global law enforcement to investigate and is assisting industry partners in tracking the stolen funds. LayerZero said the incident highlights the benefits of modular security design while underscoring risks tied to RPC-based verification pathways.