Key Takeaways:
- Hackers stole $292 million from Kelp DAO, affecting users across 20+ blockchains.
- Stolen tokens were used to borrow more funds, spreading losses across multiple DeFi platforms.
- The attack is linked to North Korea’s Lazarus Group, highlighting major crypto security risks.
Hackers stole about $292 million from Kelp DAO’s cross-chain bridge on 18 April 2026, making it the year’s largest decentralized finance (DeFi) hack of the year so far.
A cross-chain bridge is a system that enables different blockchains to communicate and transfer crypto assets. Kelp DAO is a liquid restaking platform — a service where users deposit liquid staking tokens (LSTs), such as the Lido Staked Ether (stETH) to earn additional rewards. In return, they receive a tradable token called rsETH that represents their deposited funds.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
The attack led to the theft of about 116,500 rsETH, around 18% of all tokens in circulation, and impacted users across more than 20 blockchain networks, including Base, Scroll, Linea, Arbitrum, and Mantle.
🚨 $293M EXPLOIT DETECTED: Cyvers AI systems have identified a massive attack on @KelpDAO .
Our platform flagged the breach in real-time, tracking ~$293.7M drained from the protocol's RSETH Adapter. Currently, ~$250M has already been swapped to $ETH and is held across two… pic.twitter.com/E2bnoZh0Eu
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 18, 2026
How the attack worked
The breach targeted Kelp’s bridge, which is built on LayerZero. Attackers first took control of its two key servers (specialized computers that run the system), then disabled the remaining servers with a distributed denial-of-service (DDoS) attack, a method that overwhelms the system with traffic, causing it to stop working.
With only the two compromised servers left running, the system relied on them for verifications. These servers sent false information to LayerZero, which led it to approve a fake transaction. As a result, 116,500 rsETH tokens were transferred to a crypto wallet controlled by the attacker at 17:35 UTC on 18 April.
The attacker’s wallet had been funded for the hack about 10 hours earlier using Tornado Cash, a tool often used to hide the origin of crypto funds.
Kelp activated an emergency pause 46 minutes after the breach, blocking two follow-up attempts that would have pushed total losses close to $392 million.
The attacker then used the stolen rsETH as collateral on Aave, a major crypto lending platform, to borrow roughly $195 million in wrapped ETH (wETH), a version of Ether (ETH). This created what is known as “bad debt” for Aave, meaning the platform may not be able to recover the borrowed funds because the collateral is no longer valid.
Due to the KelpDAO exploiter borrowing over 82,600 $ETH ($195M) from #Aave using $RSETH as collateral, bad debt has appeared on #Aave.
Many whales have withdrawn funds from #Aave, causing its TVL to drop from $26.396B to $20.114B — a decline of $6.28B.
Major withdrawals… pic.twitter.com/rhN28AMul9
— Lookonchain (@lookonchain) April 19, 2026
Learn More: What Is Proof-of-Stake (PoS)?
The DeFi fallout: Nine platforms hit
The fallout spread swiftly. Aave froze the rsETH-related markets on both its v3 and v4 platforms and confirmed on X that its own core systems were not affected.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
— Aave (@aave) April 18, 2026
Other platforms, including SparkLend, Fluid, Compound, and Euler, also paused related activities, bringing the total number of affected platforms to at least nine.
So for now 9 protocols hit because of this@KelpDAO got exploited their liquid restaking token $rsETH was compromised with 116.5k ETH ($293M) withdrawn
Then attacker used rsETH as collateral to borrow ETH on @aave, creating massive bad debt and pushing AAVE token down
Now Aave… https://t.co/FXciPYQZgf
— Francesco Andreoli ᵍᵐ (@francescoswiss) April 18, 2026
Aave’s total value locked (TVL) fell by roughly $8.45 billion within 48 hours, while the broader DeFi sector shed $13.21 billion in TVL over the same period. Aave’s AAVE token dropped nearly 20% in price, and users had withdrawn a net $6.2 billion from Aave by early 19 April.
The rsETH hack is leading to withdrawals across all lending protocols, even on solana and unaffected protocols:
– Aave: -6,200m (-23%) net inflows
– Morpho: -716m (-9%)
– Sky: -272m (-4%)
– JupLend: -76m (-8%)— 0xngmi (@0xngmi) April 19, 2026
Related: Solana-Based Trading Platform Drift Hit by $250M+ Hack; Deposits Paused
North Korea’s Lazarus Group named as prime suspect
LayerZero later pointed to Kelp DAO’s use of a single-verifier setup, where only one entity checks transactions, as a key weakness. Industry best practices typically recommend multiple independent verifiers to reduce the risk of failure.
In its official statement, LayerZero attributed the breach to North Korea’s Lazarus Group, specifically its TraderTraitor subunit, and confirmed cooperation with global law enforcement agencies. Kelp had not publicly responded to those findings at the time of writing.
— LayerZero (@LayerZero_Core) April 20, 2026
The same group has reportedly been linked to the $285-million Drift Protocol exploit on 1 April 2026, bringing its alleged DeFi haul to over $575 million in just 18 days.
Charles Guillemet, chief technology officer of hardware (physical) wallet firm Ledger, reportedly warned that 2026 is shaping up to be one of the worst years for DeFi security, as large-scale attacks continue to expose weaknesses in complex blockchain systems.
