Kelp DAO hit by $293M hack: biggest DeFi theft of 2026.
The Kelp DAO exploiter has initiated Cross-Chain Laundering to hide $292M in stolen funds. Explore the technical breach and the impact on the DeFi ecosystem.
The Anatomy of the Kelp DAO Exploit
The decentralized finance (DeFi) ecosystem in April 2026 has been rocked by its largest security event of the year. Kelp DAO, a leading liquid restaking protocol, became the target of a sophisticated $292 million exploit on Saturday, April 18.
While the initial theft sent shockwaves through the market, the subsequent on-chain maneuvers by the attacker (identified by several security firms as the North Korea-linked Lazarus Group) have provided a masterclass in modern obfuscation. This article dives deep into the technical failures that led to the breach and the subsequent Cross-Chain Laundering operation that has seen millions of dollars in stolen Ethereum transition into the Bitcoin network.
What is Kelp DAO
Kelp DAO operates by allowing users to deposit staked assets like stETH and cbETH in exchange for rsETH, a liquid restaking token (LRT). This model relies heavily on cross-chain bridges to maintain liquidity across various Layer 2 networks. The vulnerability that allowed for the $292 million drain was not located within the rsETH smart contract itself, but rather in the protocol's bridge infrastructure powered by LayerZero.
Security firm Halborn reported that the root cause was a "1-of-1 verifier configuration." In this setup, only a single node was responsible for validating cross-chain messages before releasing funds. The Lazarus Group exploited this central point of failure by launching a coordinated Distributed Denial-of-Service (DDoS) attack against the protocol's RPC nodes.
By forcing legitimate nodes offline, the attackers were able to isolate the verifier in a controlled environment. They then fed the verifier fraudulent cross-chain messages, authorizing the release of approximately 116,500 rsETH to accounts under their control.
Once the funds were successfully drained from the Kelp DAO bridge, the exploiter faced the challenge of exiting the Ethereum ecosystem, where centralized authorities and Layer 2 security councils can intervene. The initial movement involved swapping rsETH for native ETH, which was then distributed across multiple wallets to evade detection.
However, the most significant phase of the operation began on Tuesday, April 21, as the attackers turned to Cross-Chain Laundering to bridge assets to Bitcoin.
On-chain analyst EmberCN and investigator ZachXBT noted a massive surge in THORChain volume, which reached $394 million in a single 24-hour period, more than ten times its usual daily activity. The exploiter utilized THORChain's non-custodial swap protocol to exchange stolen ETH for native BTC.
Because THORChain operates as a decentralized, permissionless liquidity protocol, it lacks a "freeze" function, making it an ideal tool for Cross-Chain Laundering. Security firms PeckShield and Cyvers estimated that approximately $176 million worth of stolen assets began moving through THORChain, Umbra, and BitTorrent in a rapid attempt to break the audit trail.
While the exploiter successfully moved a large portion of the loot, they encountered a significant roadblock on the Arbitrum network. Shortly after the breach, the Arbitrum Security Council exercised its emergency powers to freeze approximately 30,766 ETH (roughly $75 million) held in a wallet linked to the Kelp DAO hack. This intervention was a rare win for containment in the DeFi space, demonstrating that the "guardrails" of Layer 2 networks can still act as a deterrent when speed is of the essence.
However, the freeze acted as a double-edged sword. While it secured $75 million, it also accelerated the exploiter's move toward decentralized, unfreezable protocols. The realization that funds could be immobilized on Ethereum-based scaling solutions likely prompted the Lazarus Group to double down on their Cross-Chain Laundering efforts via THORChain and other privacy-preserving tools like Umbra. This tactical shift highlights the ongoing "cat-and-mouse" game between state-sponsored actors and blockchain security councils.
The impact of the Kelp DAO exploit extended far beyond its own TVL (Total Value Locked). Because rsETH is widely used as collateral in lending markets, the sudden $292 million hole in the protocol's backing created a contagion risk. Major lending platforms including Aave, SparkLend, and Fluid were forced to freeze their rsETH markets.
Security firm Cyvers noted that at least nine other platforms were impacted. When the exploiter used stolen rsETH as collateral to borrow other assets before the hack was fully detected, they effectively left these lending protocols with "bad debt", stolen assets that had been frozen or were rapidly losing their peg. This incident has led to a massive exit of capital from the DeFi space, with some estimates suggesting over $13 billion in deposits were withdrawn from various protocols in the 48 hours following the hack as users sought safety.
The Bridge Drain: 116,500 rsETH is authorized via a forged verifier message on a Layer 2 network.
The Internal Swap: Stolen tokens are swapped on Uniswap or CowSwap for native ETH to improve liquidity.
The Cross-Chain Bridge: ETH is routed to THORChain's Asgard vaults, where it is swapped for native BTC to exit the Ethereum tracking perimeter.
The Privacy Layer: Small portions of funds are sent through Umbra (stealth addresses) to cover operational costs or pay for server infrastructure.
Technical Lessons for the DeFi Industry
The Kelp DAO catastrophe serves as a stark reminder of the dangers of "efficiency over security." The 1-of-1 verifier setup was likely chosen to reduce latency and gas costs for cross-chain transactions, but it provided a single point of failure that the Lazarus Group was more than capable of exploiting.
Moving forward, the industry is seeing a renewed push for "Multi-Verifier" configurations and "Time-Delayed" withdrawals for large bridge transfers. Had Kelp DAO implemented a 24-hour delay for withdrawals exceeding $10 million, the Arbitrum Security Council might have had the opportunity to freeze the entire $292 million before it ever touched a decentralized swap protocol.
Key Points to Remember
The Breach: $292 million was stolen from Kelp DAO on April 18, 2026, due to a compromised 1-of-1 verifier setup.
The Actor: Cybersecurity firms have attributed the attack to the North Korea-linked Lazarus Group.
The Method: Attackers used DDoS to isolate a single verifier and feed it fake cross-chain messages via LayerZero.
Containment: Arbitrum successfully froze $75 million, but the remaining funds are being rapidly laundered.
DeFi Contagion: Lending markets like Aave have paused rsETH activity to mitigate the risk of bad debt and collateral insolvency.
Monitoring these sophisticated on-chain movements requires professional-grade analytics. To track the latest liquidity trends, monitor exploiter wallet activity, and stay ahead of the next market-wide contagion event, start using DEXTools today here, to empower your DeFi trading and security research.
Disclaimer: This article is for informational purposes only and does not constitute investment advice, financial advice, trading advice, or any other kind of advice. DEXTools does not recommend buying, selling, or holding any cryptocurrency or token. Users should conduct their own research and consult with a qualified financial advisor before making any investment decisions. Cryptocurrency investments are volatile and high-risk. DEXTools is not responsible for any losses incurred.