The 2026 KelpDAO crypto hack has emerged as one of the year’s biggest cybercrime stories in the digital asset sector after thieves stole nearly $290 million in a major DeFi exploit. KelpDAO and LayerZero said early evidence points to a highly sophisticated state-backed actor, with suspicion falling on North Korea’s Lazarus Group.
Attackers carried out the exploit on April 18, 2026, and quickly drew global attention due to its scale and potential geopolitical implications. The breach also revived concerns about the vulnerability of decentralised finance platforms despite the crypto sector’s rapid growth.
KelpDAO said the theft began when attackers compromised two LayerZero-hosted blockchain servers. That breach allowed them to drain an Ethereum-linked token from KelpDAO’s vault, making it the largest known crypto exploit of 2026 so far, according to CoinDesk.
LayerZero said the attackers targeted infrastructure rather than KelpDAO’s core smart contracts. They compromised RPC nodes and pushed the system into a failover state, allowing forged cross-chain messages to appear legitimate.
LayerZero said early indicators strongly suggest the Lazarus Group carried out the hack. Crypto industry figures also pointed to the group’s capabilities, with one analyst saying no other known group matches its level of technical sophistication for an operation of this kind.
Investigators and governments have repeatedly accused North Korea of using crypto theft to fund its weapons programmes. In 2024, a United Nations panel estimated that the country had stolen more than $3 billion in cryptocurrency since 2017.
The fallout extended beyond KelpDAO. Attackers deposited stolen funds into Aave v3 as collateral to borrow wrapped Ether, creating roughly $195 million in debt and sharply reducing Aave’s total value locked. At the same time, the Arbitrum Security Council reportedly froze around $71 million of the stolen assets. That action helped contain the damage, while KelpDAO paused contracts to stop another attempted theft.
This attack goes beyond a routine crypto theft. It shows how infrastructure breaches can undermine confidence in DeFi, especially among new users entering the market. It also raises broader security concerns. If investigators confirm North Korean involvement, the case will add to a growing list of cyber thefts linked to Pyongyang and intensify scrutiny of how digital assets intersect with global security risks.
