The Great Digital Bank Robbery: How North Korean Hackers Stole $290 Million Without a Single Password

In the past week, the cryptocurrency world witnessed one of the most audacious and technically complex heists in its history. Approximately $290 million (roughly SEK 2.6 billion) in Ethereum was drained from Kelp DAO, a prominent liquid restaking protocol. As the dust settles, investigators and technology partners have pointed the finger at a familiar and formidable shadow: the Lazarus Group, a cyber-warfare collective allegedly operating on behalf of the North Korean state.

This incident isn't merely another entry in the long list of digital thefts. It represents a paradigm shift in how state-sponsored actors exploit the very infrastructure meant to secure decentralized finance (DeFi). By manipulating the "cross-chain" messages that allow different blockchains to communicate, the hackers didn't just break into a vault; they rewrote the rules of the building.

The Breach: A Symphony of Sabotage

The attack on Kelp DAO was not a simple matter of a leaked password or a single vulnerable line of code. Instead, it was a multi-staged operation that targeted the messaging infrastructure provided by LayerZero, a protocol designed to connect disparate blockchains.

To understand the scale of the sophistication, we must look at the "Decentralized Verifier Network" (DVN) that Kelp DAO utilized. The DVN is responsible for checking the integrity of instructions sent between chains. To compromise this, the attackers targeted the Remote Procedure Call (RPC) nodes that the DVN relies upon to "see" and "verify" data.

The Attack Vector: RPC Spoofing and DDoS

The hackers managed to compromise two independent RPC nodes. However, because LayerZero uses a "least-privilege" security model, compromising these nodes wasn't enough to drain the funds immediately. The attackers had to ensure the DVN only listened to their poisoned nodes.

1. Node Poisoning: The hackers swapped out the binaries on the compromised nodes with malicious versions.

   
   

2. DDoS Attack: Simultaneously, they launched a massive Distributed Denial of Service (DDoS) attack against the healthy, uncompromised RPC nodes.

   
   

3. The Failover Trap: When the healthy nodes were knocked offline, the system automatically "failed over" to the only available nodes: the ones controlled by the hackers.

   
   

4. The Forged Message: With the system now relying on poisoned data, the hackers sent a forged instruction to drain 116,500 rsETH (restaked Ether).

   
   

How does a protocol defend against an attacker that can disable its "eyes" and replace them with fake ones? This remains the central question for the DeFi industry in 2026.

The Lazarus Connection: Funding a Regime

While the technical execution is impressive, the motive is chilling. The UN Panel of Experts has long maintained that North Korea's cyber activities are a primary engine for its sanctioned military programs.

In 2024, the UN estimated that North Korea had stolen over $3 billion in cryptocurrency since 2017. The 2026 Kelp DAO heist, coupled with the $285 million theft from Drift Protocol just weeks earlier, suggests that the regime's appetite is only growing.

• Bybit (2025): $1.5 billion stolen.

  
  

• Drift Protocol (April 2026): $285 million stolen.

  
  

• Kelp DAO (April 2026): $290 million stolen.

  
  

According to various UN reports, these funds are directly funnelled into the Democratic People's Republic of Korea (DPRK) nuclear and ballistic missile programs. By bypassing the traditional global banking system (SWIFT), the regime has found a way to maintain its military ambitions despite being the most sanctioned nation on Earth.

The Blame Game: Infrastructure vs. Implementation

The fallout of the Kelp DAO heist has sparked a fierce debate over responsibility. LayerZero has pointed out that Kelp DAO was using a "1-of-1" verifier configuration, meaning the protocol relied on a single point of failure.

LayerZero's stance is clear: "Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message." They argue that had Kelp DAO utilized a multi-DVN setup, the forged message from the poisoned nodes would have been rejected by other, independent verifiers.

Kelp DAO, however, maintains that they followed the documented "default" configurations and that the breach occurred within the infrastructure they were paying to use. This brings us to a vital question for the industry: Is it the responsibility of the infrastructure provider to enforce security, or the responsibility of the application builder to understand every possible failure mode?

The Laundry: Where Does the Money Go?

Once the funds are stolen, the clock starts ticking for the hackers to "clean" the assets before they are blacklisted. In the Kelp DAO case, the rsETH was rapidly swapped and moved through Tornado Cash, a decentralized mixing service.

In the Drift Protocol heist earlier this month, investigators saw an even more aggressive laundering strategy. Bots were used to scatter funds across over 57,000 wallet addresses, making 590 transactions per minute. This level of automation makes manual tracking by law enforcement almost impossible.

What This Means for Crypto Companies Worldwide

For global crypto firms, the Kelp DAO heist is a wake-up call that "good enough" security is no longer an option when facing state-sponsored adversaries.

1. The End of Single-Point Trust

The industry must move toward "n-of-m" verification models. If a protocol relies on a single oracle, a single bridge, or a single verifier, it's essentially a sitting duck for an actor with the resources of the Lazarus Group.

2. Heightened Regulatory Pressure

As these heists are linked to nuclear proliferation, governments are unlikely to remain hands-off. We can expect stricter mandates on:

• Mandatory Timelocks: Requiring a delay on all large transfers to allow for manual intervention.

• KYC for Bridges: Increasing pressure on cross-chain protocols to identify users.

• Circuit Breakers: Standardizing code that automatically freezes a protocol if a certain percentage of TVL (Total Value Locked) is moved too quickly.

  
  

3. The "Insurance" Crisis

As heists grow in size and sophistication, the cost of insuring digital assets is skyrocketing. Some providers may stop covering DeFi protocols altogether if they don't meet rigorous, audited security standards.

Potential Next Threats: The Future of Cyber-Warfare

As we look toward the remainder of 2026 and beyond, the tactics used in these heists hint at even more dangerous horizons.

• AI-Driven Social Engineering: We've seen Lazarus use fake job interviews to plant malware. With generative AI, these "TraderTraitor" campaigns can now be conducted at scale, using deepfake audio and video to trick employees into signing malicious transactions.

  
  

• Zero-Day Infrastructure Attacks: Instead of targeting the smart contracts (which are heavily audited), hackers are targeting the RPC nodes, the hosting providers, and the ISPs that the blockchain relies on.

  
  

• Governance Hijacking: By using stolen funds to buy up "governance tokens," a state actor could theoretically "vote" to drain a protocol legally, using the system's own decentralized rules against it.

• 
  

The Kelp DAO heist is a sobering reminder that in the world of crypto, the greatest innovation is often met with even greater predatory ingenuity. For the industry to survive, it must stop treating security as a feature and start treating it as the foundation.

Summary for Crypto Companies

The Kelp DAO heist demonstrates that state-sponsored actors are no longer just looking for "bugs" in code; they're attacking the infrastructure and the "trust assumptions" of the entire ecosystem.

Key Takeaways:

• Diversify Infrastructure: Never rely on a single DVN or RPC provider.

• Audit the "Boring" Parts: Security isn't just about smart contracts; it's about the servers, the devops, and the messaging layers.

• Prepare for Speed: Laundering now happens in seconds using automated bots. Detection and response must be equally automated.

  
  

The Next Threat: Watch for "Governance Takeovers," where hackers use stolen capital to buy voting power in DAOs, allowing them to drain protocols through "legal" on-chain votes. This would make traditional law enforcement even more powerless to intervene.