Cross-chain messaging protocol LayerZero has publicly attributed the $292 million KelpDAO bridge exploit to North Korea's Lazarus Group, marking the first time a protocol at the centre of a 2026 DeFi exploit has directly fingered the state-linked cyber actor — and confirming what Chainalysis and on-chain investigators have been signalling for the past 48 hours.
The attribution followed a deposit stampede. CoinDesk, citing DefiLlama data, reported that more than $13 billion has been pulled out of DeFi in the 48 hours since the rsETH bridge was drained, with Aave absorbing the largest single blow at roughly $8.5 billion in deposit outflows and smaller contagion hitting Compound, Morpho and the broader restaking complex.
At the core of the attack is a design flaw that LayerZero has acknowledged and that Chainalysis has publicly called a critical blind spot in DeFi security: KelpDAO's configuration of the bridge allowed a single verifier to authorise cross-chain messages without an independent burn-verification step. Once that verifier was compromised, the exploit did not need to break cryptography. It only needed to send messages that looked legitimate, because nothing else was checking them.
The outcome was mechanical. Hackers triggered rsETH mints on destination chains without corresponding burns of the underlying asset on the source chain, then moved the newly minted tokens into lending markets where they had been accepted as collateral. Downstream protocols, which had trusted the bridge's attestations, suddenly found their collateral backed by tokens that no longer had the expected one-to-one relationship with ETH.
Justin Sun, founder of Tron, has publicly offered to mediate with the attackers and volunteered Tron resources to help trace the stolen funds — an unusual intervention that FinanceFeeds framed as an attempt to open a negotiation channel on behalf of the wider industry. Whether any serious dialogue has opened with Lazarus-affiliated wallets is unconfirmed.
The broader DeFi picture has deteriorated quickly. Total value locked across DeFi protocols has fallen to its lowest level in a year, according to DefiLlama figures cited by The Block, with combined losses across the last several weeks' exploits now topping $600 million. Aave has paused several markets. Compound governance is reviewing collateral onboarding processes. And several restaking protocols have rotated to multi-verifier bridge configurations rather than remain exposed to any single attestation point.
CoinDesk's reporting this week flagged the concentration of capital into a handful of bridge-dependent protocols as the single-largest systemic risk the DeFi sector has yet to price. Nearly all of 2026's major DeFi exploits have traced back to bridge architecture rather than smart-contract logic within individual lending markets. The KelpDAO exploit is the most expensive confirmation of that pattern so far.
The Lazarus Group attribution has geopolitical as well as technical weight. US Treasury and OFAC guidance already restricts interactions with wallets tied to North Korean cyber units, meaning exchanges and mixers that touch the stolen rsETH face potential sanctions exposure. Chainalysis flagged in its April report that North Korea's DeFi-targeted heist playbook has expanded in both frequency and sophistication, with the group now deploying impersonation and insider-access techniques alongside classic smart-contract exploitation.
For DeFi protocols, the immediate remediation task is clear. Single-verifier bridge configurations, long flagged as unsafe by security auditors, are being rapidly retired in favour of multi-signature or multi-verifier designs. But the deeper structural question — whether DeFi's lending markets can continue to accept bridged assets as first-class collateral without independent supply verification — remains open.