KelpDAO, a decentralized finance (DeFi) protocol operating in the liquid restaking space, has been struck by a $290 million cryptocurrency heist that researchers have attributed to Lazarus Group — the prolific North Korean state-sponsored hacking organization with a long track record of billion-dollar crypto theft operations.
The attack occurred over the weekend and represents one of the largest single crypto theft events of 2026, adding to a years-long campaign by DPRK-linked hackers to fund the North Korean regime's weapons and sanctions-evasion programs through cryptocurrency theft.
What Is KelpDAO?
KelpDAO is a liquid restaking protocol built on top of Ethereum's restaking ecosystem. It allows users to restake liquid staking tokens (LSTs) to earn additional yield by securing multiple networks simultaneously. The protocol manages significant volumes of staked assets on behalf of its users.
At the time of the attack, KelpDAO held hundreds of millions of dollars in user-deposited crypto assets — making it a high-value target consistent with Lazarus Group's pattern of targeting DeFi protocols with substantial TVL (total value locked).
Attack Attribution
Researchers linked the theft to Lazarus Group based on several indicators:
| Attribution Indicator | Detail |
|---|---|
| On-chain fund flow | Stolen funds moved to wallet clusters previously associated with Lazarus operations |
| Mixer and bridge usage | Post-theft asset laundering matched DPRK-typical patterns (Tornado Cash successors, cross-chain bridges) |
| Operational timing | Weekend execution timing consistent with prior Lazarus campaigns |
| Attack methodology | Technical approach consistent with previous Lazarus DeFi exploits |
| Scale | $290M theft consistent with Lazarus Group's pattern of large-scale protocol targeting |
Lazarus Group has stolen an estimated $3+ billion in cryptocurrency since 2017, according to blockchain analytics firms. Notable prior operations include the $625 million Ronin Network hack (2022), the $100 million Horizon Bridge hack (2022), and the $285 million Drift hack attributed to DPRK operatives in early 2026.
The Lazarus Crypto Theft Playbook
Lazarus Group has refined its DeFi attack methodology into a repeatable pattern observed across multiple campaigns:
Phase 1: Reconnaissance
- Identify high-TVL DeFi protocols
- Map smart contract architecture and upgrade mechanisms
- Identify privileged key holders and their operational security posture
Phase 2: Access
- Social engineer protocol developers or key holders (fake job offers, LinkedIn)
- Deploy trojanized code via compromised developer machines
- OR exploit smart contract vulnerabilities directly
Phase 3: Execution
- Drain funds in a single coordinated transaction sequence
- Use flash loans or governance attacks to amplify theft if needed
Phase 4: Laundering
- Immediately bridge funds across chains
- Fragment into smaller wallets to obscure trail
- Route through mixing services and privacy protocols
- Convert to fiat via OTC brokers in compliant-light jurisdictionsIn the Drift hack earlier in 2026, researchers uncovered a six-month social engineering operation in which North Korean operatives conducted in-person meetings as part of the compromise — demonstrating the level of resources Lazarus is willing to deploy.
Scope of the KelpDAO Theft
| Detail | Value |
|---|---|
| Funds stolen | $290 million |
| Protocol | KelpDAO (liquid restaking, Ethereum ecosystem) |
| Attack date | Weekend of April 19–20, 2026 |
| Attribution | Lazarus Group (DPRK) |
| Asset type | Restaked ETH and derivative tokens |
| Protocol status | Under investigation; withdrawals suspended |
KelpDAO's Response
KelpDAO has suspended withdrawals and deposits while the incident is investigated. The protocol's team has engaged blockchain security firms to trace the stolen funds and is coordinating with law enforcement and industry partners including centralized exchanges to freeze addresses associated with the theft.
Users with assets in KelpDAO protocols should:
- Monitor official KelpDAO communication channels for updates
- Avoid making additional deposits until the protocol is declared secure
- Document any positions held at the time of the attack for potential recovery or compensation claims
- Be alert to social engineering attacks targeting KelpDAO users in the aftermath
North Korea's Crypto Funding Machine
The US government has repeatedly identified cryptocurrency theft as a primary funding mechanism for North Korea's weapons programs, including ballistic missile and nuclear development. UN Panel of Experts reports estimate DPRK-linked hackers stole over $1.5 billion in crypto in 2024 alone.
The pattern is systematic and shows no signs of abating: DeFi protocols represent a target-rich environment because of their open-source codebases, significant on-chain liquidity, and the challenge of reversing transactions once executed.
| DPRK Crypto Theft | Estimated Amount |
|---|---|
| Ronin Network (2022) | $625 million |
| Horizon Bridge (2022) | $100 million |
| Various DeFi protocols (2024) | ~$1.5 billion (total) |
| Drift (early 2026) | $280–285 million |
| KelpDAO (April 2026) | $290 million |
Implications for DeFi Security
The KelpDAO heist reinforces several hard lessons the DeFi ecosystem has repeatedly failed to fully internalize:
- Smart contract audits are not sufficient alone — Lazarus increasingly targets off-chain components (developer machines, key management) rather than on-chain bugs
- Multi-sig alone does not stop sophisticated attackers — Social engineering and device compromise can compromise signing key holders
- TVL is a targeting signal — Protocols with $100M+ TVL consistently appear on Lazarus's radar
- Response time matters — Fast intervention with exchanges can freeze stolen funds before laundering completes
The FBI, CISA, and Chainalysis have all published resources on protecting crypto assets from DPRK-linked threat actors. Protocol teams managing significant TVL should treat these threat actor profiles as mandatory reading.
Source: BleepingComputer