Key Highlights
- LayerZero said the $292 million exploit targeted the KelpDAO rsETH bridge through compromised verifier infrastructure.
- A single-verifier OApp configuration enabled the forged cross-chain message to be accepted.
- LayerZero will no longer allow its DVN to operate as the sole signer for channels using its services.
LayerZero Labs has published a report detailing a security incident that led to roughly $292 million being stolen from the KelpDAO rsETH bridge.
The report indicates that on April 18, 2026, LayerZero’s system for connecting different blockchains was attacked. The company believes the attack was carried out by TraderTraitor, a hacking group linked to the North Korean government, and also identified as UNC4899. This conclusion is based on investigations by security companies like Mandiant and CrowdStrike.
We’ve finished our review of the incident that happened on April 18th, and are sharing the results. We collaborated with security experts from Mandiant and CrowdStrike to create this report, and we’re releasing both a high-level summary and the complete details at the link below. Over the last four weeks, we’ve been working closely with many partners to help them…
— LayerZero (@LayerZero_Core) May 20, 2026
How the attack unfolded
The KelpDAO attack started on March 6, 2026, when a hacker tricked a LayerZero Labs developer into giving up their login credentials. Using this access, the attacker infiltrated LayerZero’s system and gained control of the servers that store blockchain information.
After successfully infiltrating the network, the attacker subtly altered the memory of the RPC system. This allowed them to manipulate the information sent to LayerZero Labs’ Decentralized Verifier Network (DVN) while still making it *appear* as if everything was functioning normally.
To ensure the attack worked, the attacker launched a denial-of-service attack against an outside service that handles requests. This forced the system to rely only on two internal nodes that had already been secretly taken over. This allowed them to create a legitimate-looking confirmation for a fake message sent between different blockchains.
The attack succeeded because the compromised app only required one verification step. Without needing further checks, the smart contract confirmed the information and released the rsETH. No other apps or channels were impacted.
LayerZero tightens security controls
After the recent incident, LayerZero Labs has updated its security policies. Previously, the company allowed application developers to choose from any OApp configuration.
We’re changing how things work. LayerZero Labs DVN will no longer be the sole signer for any channel, but it will still require basic security settings for all channels. The core technology behind this system won’t be affected.
Instead of simply fixing problems as they arose, the company rebuilt its entire cloud system from the ground up. This overhaul has significantly strengthened security by establishing stricter standards, eliminating outdated access keys, granting temporary access only when needed, requiring multiple approvals for any changes to user permissions, and adding extra checks to ensure devices and logins are legitimate.
As an analyst following LayerZero Labs, I understand they’ve been working very closely with top cybersecurity firms – Mandiant, CrowdStrike, and zeroShadow – to investigate attacks, figure out who’s behind them, and keep a close watch on token activity. They’re also actively cooperating with law enforcement. Importantly, LayerZero has committed to continuous security assessments and improvements across the entire ecosystem to proactively address potential vulnerabilities.
One of the biggest DeFi attacks
This $292 million hack is one of the largest to hit decentralized finance (DeFi) in 2026. It shows that vulnerabilities still exist, often stemming from a combination of social engineering, security flaws in systems, and improperly set up protocols.
Even though the protocol’s design limited the damage from the attack, the incident showed that a single weakness in how verifiers are set up could cause serious problems.
With the ongoing investigation and the tracking of related funds, it’s become clear that attacks from national governments pose a growing threat to the cryptocurrency industry. This highlights the critical importance of strong security, especially for projects that connect multiple blockchains.
Read More
- Total Football free codes and how to redeem them (March 2026)
- Farming Simulator 26 arrives May 19, 2026 with immersive farming and new challenges on mobile and Switch
- Last Furry: Survival redeem codes and how to use them (April 2026)
- PUBG Mobile x Harley-Davidson Partnership to introduce new Motor Cruise event with rewards and Skins
- First Look at Bad Bunny’s Exclusive Zara x Benito Antonio Collection
- Clash of Clans May 2026: List of Weekly Events, Challenges, and Rewards
- ALLfiring redeem codes and how to use them (May 2026)
- Honor of Kings April 2026 Free Skins Event: How to Get Legend and Rare Skins for Free
- Clash of Clans “Clash vs Skeleton” Event for May 2026: Details, How to Progress, Rewards and more
- Honor of Kings x Attack on Titan Collab Skins: All Skins, Price, and Availability
2026-05-20 20:22