When a single misconfigured signature is all it takes to create $292 million in tokens from nothing, the entire premise of trustless finance looks a lot shakier than the name suggests.

How the Attack Worked

On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge - powered by LayerZero - to drain 116,500 rsETH tokens worth approximately $292 million. That's about 18% of rsETH's entire circulating supply, conjured out of a flaw that wasn't in LayerZero's protocol itself but in how Kelp had configured it.

The setup relied on a single verification point to authorize cross-chain messages. The attacker found it, exploited it, and a message went through that shouldn't have. "One signature and 116,500 rsETH materialized out of thin air on Ethereum," as researchers later described it. Those tokens were then used as collateral to borrow real assets - mostly from Aave - and drained before the protocol could pause.

Lazarus Group's Fingerprints

Within three days of the breach, blockchain analytics firm Chainalysis attributed the attack to North Korea's Lazarus Group, based on mixer usage patterns and fund-dispersal methods matching the group's known operational style. The attribution is consistent with Lazarus's track record of targeting DeFi protocols - they've been the most prolific on-chain thieves running for several years.

The scale of the loss makes it the largest DeFi exploit of 2026, overtaking the Drift hack by a few million dollars. Cumulative DeFi losses this year have now crossed $770 million across more than 30 incidents - a number that's difficult to spin as a maturing industry's growing pain.

DeFi Mounts a Rescue

What followed was, depending on your perspective, either a remarkable show of coordination or a reminder that the safety net in DeFi is entirely informal.

Aave convened a coalition called "DeFi United," pulling in Lido Finance, EtherFi, and other major protocols to put forward ETH to cover the shortfall left in Aave's lending pools. On April 21, Arbitrum's Network Security Council froze 30,766 ETH - roughly $71 million - belonging to the attacker, recovering about 25% of stolen assets. Standard Chartered published a note calling the sector's response a sign of resilience. The broader crypto community was less measured, with some declaring DeFi dead outright.

What Needs to Change

CoinDesk's post-mortem published Saturday points to cross-chain bridges as DeFi's most persistent weak link - a problem the industry has been aware of since the Wormhole and Ronin bridge exploits years earlier. The pattern is consistent: bridge complexity creates attack surfaces, and the incentives to ship quickly tend to outrun the incentives to audit carefully.

The most uncomfortable part of this incident is that it wasn't a sophisticated zero-day. It was a configuration mistake. LayerZero's infrastructure worked as designed - the problem was how Kelp deployed it. That's a much harder issue to address with audits alone, because it means any protocol using shared infrastructure needs to verify not just the code but every parameter governing how cross-chain messages are trusted and validated.

KelpDAO and Aave are still working through recovery. Lazarus Group, meanwhile, has an estimated $292 million in assets to launder. Some things in crypto move faster than others.

---------------

Author: Ryan Gardner
Silicon Valley News Desk

Happy April Fool's Day... Your $280 Million Is Gone. Really. 

On April 1st, the Solana-based DeFi platform Drift Protocol had $280 million drained from its accounts in what blockchain security firm Elliptic says bears all the hallmarks of a North Korean state-backed operation. The attack was no prank - and for Drift's users, it was about as far from funny as it gets.

What made this one technically notable was the attack vector. Rather than a straightforward exploit or the social engineering tricks North Korean hackers are known for, the alleged attackers abused a Solana feature called a durable nonce - a mechanism designed to prevent transaction timeouts. According to reporting by Fortune, the attacker used this mechanism to dupe Drift's Security Council into pre-approving transactions that wouldn't execute until weeks later - effectively planting a time bomb inside the protocol's own administrative layer.

Drift confirmed the incident in a post on X, describing how "a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." The platform immediately suspended deposits and withdrawals for all users.

North Korea's Crypto Crime Streak Continues

Elliptic's attribution is consistent with a now well-established pattern. North Korea was responsible for roughly $2 billion in stolen crypto throughout 2025 - around 60% of all digital assets stolen globally that year, per blockchain analytics firm Chainalysis. The country's most brazen job was the alleged $1.5 billion hack of crypto exchange Bybit in early 2025, still the largest single crypto theft on record.

North Korean hackers typically rely on social engineering - building fake identities, infiltrating teams, and manipulating insiders into handing over credentials. The Drift attack represents something different: a patient, technically sophisticated exploit that weaponized the platform's own security infrastructure against it. The attacker didn't break down the door. They convinced someone inside to leave it unlocked.

Who Is Drift?

Drift Protocol was founded in 2021 by Cindy Leow and David Lu. It offers perpetual futures and other trading products on Solana, and had accumulated over $400 million in total deposits before the attack. That figure is now considerably different. The platform has not yet provided a detailed public timeline for resuming normal operations.

The Drift hack is a reminder that DeFi's security model - which relies on multisig councils, on-chain governance, and community-held administrative keys - is only as strong as the humans and processes behind it. A durable nonce isn't a bug; it's a feature. But features can be weaponized, and North Korea's alleged hackers appear to have studied Solana's mechanics carefully enough to do exactly that.

For the broader Solana ecosystem, the timing couldn't be worse. The network has spent the better part of two years positioning itself as the institutional-grade DeFi layer of choice. A $280 million heist - allegedly handed to a regime under international sanctions - is not a great look, regardless of which chain the exploit ran on.

---------------

Author: Cedric Holloway
New York Newsroom