LayerZero stated in a preliminary report that the attack, which stole approximately $292 million from the KelpDAO cross-chain bridge over the weekend, was “likely” carried out by North Korea’s Lazarus group, specifically its TraderTraitor subunit. Analysis Monday.
On Saturday, attackers stole 116,500 rsETH (a liquid staking token backed by staked Ethereum) from the KelpDAO bridge, triggering a wave of withdrawals across platforms. Decentralized finance saw over $10 billion in loan protocol funds exit Avail.
LayerZero stated that the attack exhibits characteristics of a "highly sophisticated state actor," likely North Korea's Lazarus Group, and specifically pointed to its TraderTraitor subunit.
According to reports, North Korea’s cyber operations are managed by the Reconnaissance General Bureau, which oversees several distinct teams, including TraderTraitor, AppleJeus, APT38, and DangerousPassword. Analysis by Samczsun, researcher at Paradigm.
Among these subgroups, TraderTraitor is considered the most sophisticated actor targeting cryptocurrencies within North Korea and has previously been linked to compromises of Axis Infinite Ronin Bridge and WazirX.
LayerZero stated that KelpDAO used a single validator to approve inbound and outbound bridge funds, and added that it had repeatedly urged KelpDAO to adopt multiple validators.
LayerZero states that it will no longer approve any applications still running this setup.
Single point of failure
Observers said the vulnerability revealed how the bridge was built to trust only a single validator.
Shalev Kren, co-founder of the cybersecurity firm Sodot, said this is “a single point of failure,” no matter how much the marketing department tries to spin it. Decrypt
Keren stated that a single compromised checkpoint is sufficient to allow funds to leave the bridge, and no audit or security review can fix this flaw without "eliminating unilateral trust from the architecture itself."
This view has been endorsed by others. According to Haoze Qiu, Head of the Grvt blockchain,“Kelp DAO appears to have accepted a bridge security setup with insufficient redundancy for assets of this scale,” and added that LayerZero “bears responsibility” given that “this breach involved infrastructure related to its validator stack, even if it was not described as a core protocol vulnerability.”
According to analysis by blockchain security firm Cyvers, the attacker stole another $100 million in just three minutes, but was quickly blacklisted, halting their actions. Cyvers Chief Technology Officer Mel Dolev said the attack was launched by deceiving a single communication channel. Decrypt
The attacker compromised the two verification pathways used to check whether withdrawals had genuinely occurred on Unichain, feeding them false "yes" responses, and then took the remaining pathways offline, forcing the validator to rely on the compromised ones.
The vault is fine. The security guard is honest. The door lock mechanism is working normally,” Dolgov said. “The lie was told directly and quietly to the person who verbally opened the vault.”
However, LayerZero, which provided the infrastructure for the flood relief bridge, pointed to Lazarus as the likely culprit, while Cyvers did not reach the same conclusion in its own analysis.
Dolgov said some patterns are consistent with the actions of the Democratic People's Republic of Korea in terms of complexity, scale, and coordinated execution, but no associated wallets have been confirmed.
He also added that the malicious node software was carefully designed to delete itself once the attack ends, erasing binaries and logs to obscure the attacker’s footprint both in real time and after the fact.
At the beginning of this month, attackers drained approximately $285 million from Drift, a perpetuals-based protocol on Solana, and subsequent exploitation was attributed to North Korean agents.
Dolev noted that the Drift hack was "very different in terms of preparation and execution," but both attacks required extensive preparation, deep expertise, and significant resources to succeed.
Savers suspects the stolen funds have been transferred to this Ethereum address, as reported in a separate report. Chainalysis investigator ZachXBT identified the attack address and flagged it alongside four other attack addresses. The funds for these attack addresses originated from... coin mixers. According to ZachXBT, Tornado Cash is currently in high demand.