On April 20th, the decentralized protocol Kelp DAO fell victim to a massive hacking attack, with losses exceeding $300 million. Within the first few hours after the incident, it was clear that this was one of the biggest heists in the DeFi sector in recent years. In this article, we will analyze what is known so far and take a detailed look at the investigation's progress over the first 18 days post-hack.
If in the first hours after the incident the situation was fragmented, over the next ten days, the investigation accumulated a significant amount of technical details and facts.
Attack 1
Phase 1
Initial attack
It lasted for one minute.
The entry point was chosen as the cross-chain adapter rsETH based on LayerZero infrastructure. The hack occurred due to the compromise of RPC node infrastructure. It exploited an architectural flaw. The compromise of the entire system began with one compromised identifier.
Phase 2
Area of main events
After the system was hacked, the attackers used a cunning scheme: they sent a forged message about the successful 'locking' of funds.
For those unfamiliar with DeFi architecture, in this context, 'locking' does not work like freezing an account but rather as a confirmation of contribution. Under normal conditions, the process looks like this:
Stage 1
You deposit an asset (for example, $100). The system records the receipt of funds and 'locks' them in its storage as collateral.
Stage 2
Only after the successful first stage does the automatic process of issuing new tokens for the user kick in.
This logic was exploited by hackers. They made the system believe that the first stage was successfully completed, although no real assets were deposited. Mistaking the forged message for legitimate, the protocol mistakenly issued 116,500 rsETH without any actual collateral. Thanks to the integration with LayerZero technology, the attackers were able to instantly spread this influence across multiple blockchains. This allowed them to withdraw funds from over 20 networks simultaneously, including Arbitrum, Base, Linea, and others, turning a single protocol's error into a massive liquidity loss across the ecosystem.
Phase 3
Exit and legalization
After obtaining thousands of illiquid rsETH tokens (which had no real backing), the hackers used them as collateral in lending protocols, notably in Aave.
How it works (in simple terms):
Imagine a regular pawn shop. If you bring a painting there, the appraiser will carefully check it in real-time before handing over the cash. However, credit crypto protocols are automated systems that operate based on pre-defined algorithms. Hackers 'brought' forged artworks (illiquid rsETH) to such a digital pawn shop. Since the system perceived these tokens as legitimate, it automatically issued real liquid funds — Ethereum (WETH) against their collateral. The attackers received actual cryptocurrency, leaving the protocol with worthless 'paper.' To cover their tracks, the acquired funds were instantly dispersed among hundreds of anonymous addresses. This made the process of tracing and recovering assets an extremely challenging task for analysts.
Counteractions
Kelp DAO administrators activated an 'emergency stop' for all smart contracts to prevent further fund withdrawals. The attack affected at least 9 adjacent protocols, and the team began urgent synchronization with other DeFi platforms to isolate the damaged liquidity pools.
In the first minutes, cybersecurity teams were engaged, including:
Cyvers:
One of the first to detect abnormal activity and confirm the fact of the hack
Halborn
Published a detailed technical report explaining the cause of the hack — a vulnerability in the configuration of the cross-chain bridge verifier.
PeckShield
Directed efforts towards analyzing transactions.
Chainalysis and Elliptic
Tracking stolen assets.
After the first countermeasures, it seemed that this story would follow a logical path of investigation, communication, etc. However, 20 minutes later, what happened could elevate this heist to an even higher level of categorization of consequences.
Attack 2
Despite controversies following the above events, the system was compromised and hackers struck again.
The entry point was the same compromised RPC nodes.
At that moment, the main smart contracts had already been frozen by protection teams, and an alternative path was chosen for the attack. A new data packet was sent with a fake confirmation of token burning on one of the networks. The main idea was to attempt to make the bridge issue a new batch of unsecured rsETH on another network.
Concept in simple terms:
When sending 100 coins from one network to another, several phases can be identified.
Phase 1
The network from which the coins are sent records their conditional burning, essentially forming a data block that acts as a receipt. It states clearly: a request has been made to transfer a certain amount of coins.
Phase 2
If these are linked networks, the other network starts receiving data based on specified verification algorithms. If verification is passed on another network, the issuance of the same 100 coins is initiated. Hackers sent a fake message about the successful actions of phase 1, which actually did not occur. If successful, it would have resulted in $95 - 105 million in rsETH.
Countermeasures by security teams
In addition to concentrating efforts on the aftermath of the previous attack, part of the teams defended the 'perimeter'. As a result of successfully splitting forces, the Arbitrum Security Council blocked the attempt to withdraw funds at the smart contract level, and the attack was thwarted.
Who is behind the attack
No official charges have been brought against specific individuals or state groups. The main suspect in the large-scale attack on Kelp DAO, which took place in April 2026, is the North Korean hacker group Lazarus Group (specifically its subdivision TraderTraitor). Preliminary reports from LayerZero Labs, as well as analyses from Chainalysis, Halborn, and blockchain detective ZachXBT, indicate Lazarus Group as the most likely perpetrator.
The investigation of the Kelp DAO hack that occurred in April 2026 brought together international cybersecurity teams, law enforcement, and specialized blockchain rapid response groups. As the attack is linked to the North Korean group Lazarus Group (specifically the TraderTraitor subgroup), the investigation has a global dimension.
Leading investigation teams
The Kelp DAO team and auditors
Working to eliminate vulnerabilities and recover data from logs of infected nodes.
LayerZero Labs
I conducted an analysis of my own infrastructure (RPC nodes), which was used as an entry point.
Arbitrum Security Council
The governing body of the Arbitrum network which coordinated the freezing of assets.
USA
Chainalysis
Provided a detailed report confirming that the attack targeted off-chain infrastructure, not smart contracts.
TRM Labs
They are actively tracking the wallets of the attackers in real-time.
China/Singapore
PeckShield
Helps track the routes of stolen assets through various privacy protocols.
Israel
Cyvers
One of the first to detect the hack and provide a technical analysis of how hackers laundered funds through THORChain and BitTorrent.
South Korea
Actively collaborating through intelligence data regarding North Korean hackers' activities.
International community
The SEAL rapid response and security group joined the preliminary investigation and helped minimize further losses.
Compensation
Sources of funds for compensation:
Frozen funds ($71 million)
These are the same assets on Arbitrum that were blocked by the Network Security Council. They were returned to Kelp DAO through a special governance vote.
Own treasury fund
The Kelp team used accumulated fees and part of their own reserves to cover.
Sale of KELP tokens
An emergency funding round was conducted through the sale of project tokens to venture funds at a significant discount to quickly obtain liquidity.
Recovery plan
Retail investors are prioritized
Ordinary users holding small amounts of rsETH were the first to access fund withdrawals.
Technical 'debt notes'
For those who didn't want to wait 6 months for a full recovery, Kelp issued special kLoss tokens. They represented a right to a future share of the protocol's profits. Users could either hold them until full repayment or sell them on the secondary market to those willing to wait.
The role of LayerZero
Since the hack occurred through LayerZero infrastructure, the developer company (LayerZero Labs) allocated a $10 million grant as a goodwill gesture to support affected users, although they did not legally acknowledge their full culpability.
On April 6, the Kelp DAO team officially announced the abandonment of further use of LayerZero systems and the transition to Chainlink infrastructure.
Status as of today
The majority of users (over 98%) have fully recovered their positions. However, large institutional investors are still in the process of receiving the last tranches according to the unlocking schedule.
Conclusion
The Kelp DAO hack officially became one of the largest heists in recent years. However, the investigation revealed that a second wave followed the initial attack. Thanks to the professionalism of cybersecurity teams, this follow-up attack was completely repelled, reducing potential losses by approximately 40%. Despite this, the situation remains complex. Data protection issues are becoming critical, given the rapid growth of projects and the prospect of transforming crypto systems into a full-fledged financial foundation for entire states.