好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得仔细阅读文章,抓住关键点。 文章主要讲的是 Lazarus APT 组织,与朝鲜有关联,他们通过滥用 LayerZero 基础设施,从 Kelp DAO 盗取了2.9亿美元。Kelp DAO 是一个 DeFi 协议,专注于流动性质押。攻击者利用 LayerZero 的 RPC 节点进行恶意操作,导致资金被盗。虽然第一次攻击成功了,但第二次9500万美元的尝试被阻止了。 接下来,我需要把这些信息浓缩到100字以内。要包括 Lazarus APT、盗取金额、攻击手段、Kelp DAO 的应对措施以及影响。 可能的结构是:Lazarus APT 盗取2.9亿美元,利用 LayerZero 漏洞,Kelp DAO 暂停活动并阻止第二次攻击。同时提到这是2026年最大的DeFi攻击之一。 现在检查字数是否在限制内,并确保信息准确无误。 </think> 朝鲜关联的Lazarus APT组织通过滥用LayerZero基础设施从Kelp DAO盗取2.9亿美元资金。攻击者操控LayerZero节点发送恶意指令转移资金。Kelp DAO暂停合约并阻止了后续9500万美元的盗窃企图。此为2026年最大DeFi安全事故之一。 2026-4-21 18:34:3 Author: securityaffairs.com(查看原文) 阅读量:16 收藏
North Korea’s Lazarus APT stole $290M from Kelp DAO
North Korea-linked Lazarus Group stole $290M from Kelp DAO by abusing LayerZero. A second $95M attempt was stopped.
Hackers tied to the North-Korea linked group Lazarus APT carried out a $290M crypto theft targeting Kelp DAO.
— Kelp (@KelpDAO) April 18, 2026Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
Kelp DAO is a decentralized finance (DeFi) protocol built on the Ethereum ecosystem that focuses on a concept called liquid restaking. In simple terms, it lets users earn more rewards from their crypto without locking it up.
Attackers manipulated LayerZero infrastructure, forcing systems to rely on compromised nodes, then issued a malicious command to drain funds.
— StarPlatinum (@StarPlatinum_) April 18, 2026This is one of the biggest DeFi hacks of 2026 🚨
Here’s what just happened:
Kelp DAO’s rsETH bridge got exploited through LayerZero.
Around 116,500 rsETH was drained.
That’s $293M gone in minutes.
Main drain transaction:… pic.twitter.com/9ZfHqUUsWN
After the breach, the platform froze activity and blocked wallets, stopping a second attempted theft worth about $95M.
“Kelp detected the anomaly, paused all relevant contracts on Ethereum mainnet and L2s, blacklisted all wallets associated with the exploiter, and engaged SEAL-911.” wrote Kelp. “A subsequent attempt by the exploiter, leveraging a falsely verified phantom packet to target an additional 40,000 rsETH (~$95M), was fully mitigated by these interventions.”
Kelp DAO lets users deposit ETH, restake it via EigenLayer, and receive rsETH to earn extra rewards. It relies on LayerZero to verify transactions across chains. The attack didn’t exploit the core protocol but targeted the verification layer.
LayerZero checks transactions using multiple servers (RPCs). Attackers hacked two of them and used them to send fake but valid-looking messages.
“On April 18, 2026, LayerZero Labs’ DVN became the target of a highly sophisticated attack, likely attributable to the Lazarus Group, more specifically TraderTraitor. The attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions. It was not done through an exploit to the protocol, DVN, key management or other means.” reports LayerZero. “Rather, the attacker was able to gain access to the list of RPCs our DVN uses, compromise two of them – which were independent nodes running on separate clusters without direct connection to each other – and swap out binaries running the op-geth nodes. Because of our least-privilege principles, they were unable to compromise the actual DVN instances. However, they used this pivot point to execute an RPC-spoofing attack.”
Then they launched a DDoS attack on the remaining servers, forcing the system to rely on the compromised ones. This allowed malicious transactions to pass. The root cause was Kelp DAO’s insecure “1-of-1” verifier setup, meaning only one DVN checked transactions. This created a single point of failure. Best practice requires multiple independent verifiers, which would have blocked the attack even if one node was compromised.
LayerZero reported that the breach only affected its rsETH setup and did not spread to other apps, thanks to LayerZero’s modular design.
LayerZero confirmed its infrastructure and protocol worked as designed, isolating the damage. The incident highlights a new type of state-level attack targeting off-chain components like RPCs, rather than core blockchain systems. After the breach, compromised nodes were replaced, and stronger multi-verifier configurations are now being enforced to prevent similar attacks.
LayerZero says the hack could have been avoided if Kelp DAO had used multiple verifiers (multi-DVN), the industry standard.
“Industry best practice — and LayerZero’s express recommendation to all integrators — is to configure a multi-DVN setup with diversity and redundancy. This means no single DVN should represent a unilateral point of trust or failure.” continues the LayerZero’s statement. “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message. LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration.”
Kelp DAO refused accusation, saying it followed its default setup and didn’t manage the compromised infrastructure. It’s now focused on limiting damage, with partners like Arbitrum Security Council freezing funds. The impact spread across DeFi, with Aave losing nearly $8B in value.
“Kelp’s priority is our users and preventing contagion across DeFi. We are working with all ecosystem partners to analyse the impact, rally support, and explore all avenues of mitigation.” concludes Kelp. “We are concurrently assessing the potential next steps regarding protocol unpausing, impact assessment, and the way forward, and working with Aave, LZ, and all other key stakeholders.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lazarus APT)
如有侵权请联系:admin#unsafe.sh