Odaily Planet Daily reports that LayerZero Labs released its latest incident report stating that on April 18, 2026, the KelpDAO rsETH cross-chain bridge, built on its cross-chain communication protocol, was compromised, resulting in the theft of approximately 116,500 rsETH (around $292 million). Multiple security firms, including Mandiant and CrowdStrike, along with independent researchers, have attributed the attack to the North Korea-linked hacking group TraderTraitor (UNC4899).
The report shows that the attack began on March 6, 2026, when the attackers used social engineering to compromise a LayerZero developer account, obtain session keys, and infiltrate the RPC cloud environment. They then corrupted internal RPC node data and manipulated response results to deceive monitoring systems and the Decentralized Verification Network (DVN). Subsequently, the attackers launched a denial-of-service attack against external RPC providers, forcing the verification system to rely on the compromised nodes to generate forged cross-chain proofs, enabling them to successfully withdraw funds.
LayerZero noted that the core of this vulnerability lies in the affected applications' use of a "single-verifier" configuration, which caused the target contract to release assets upon receiving only a single valid signature, resulting in the theft of rsETH.
Following the incident, LayerZero Labs announced adjustments to its security policies, including ceasing to allow its own DVN to act as the sole signing party in a single-verification configuration, rebuilding the affected cloud infrastructure, and implementing short-term credentials, just-in-time privilege escalation, and multi-party approval mechanisms to enhance security. Additionally, zeroShadow and law enforcement agencies have intervened to investigate and track assets. LayerZero stated it will continue collaborating with ecosystem partners to strengthen its cross-chain security framework in response to increasingly sophisticated state-level attack threats.