$300M DeFi Disaster: How North Korea's Lazarus Group Exploited KelpDAO and Crashed Aave

Ellie Montgomery · April 20, 2026 · 3m

The DeFi sector is reeling from one of its most devastating exploits yet. In a highly coordinated attack, three major protocols—LayerZero, Aave, and KelpDAO—were compromised, resulting in approximately $300 million in damages. Security analysts have officially linked the attack to the infamous North Korean state-sponsored hacking syndicate, the Lazarus Group.

This monumental heist has reignited intense fears regarding the fragility of cross-chain infrastructure and the systemic risks within interconnected DeFi protocols.

The Exploit: Creating rsETH "Out of Thin Air"

The mechanics of the $293 million Kelp DAO hack expose a glaring architectural flaw. Analysts revealed that the Lazarus Group executed the attack by spoofing messages through compromised RPC nodes and a massive DDoS attack.

The core issue? KelpDAO relied on LayerZero to bridge its rsETH token between networks, but the setup featured a Single Point of Failure (a 1/1 DVN scheme). This meant a single node was responsible for validating all transactions. The hackers managed to deceive this node, forcing it to approve the withdrawal of rsETH tokens that were never actually deposited.

Armed with millions in "phantom" rsETH, the attackers moved to the next phase: bleeding Aave dry.

The Aave Contagion: A $6.6 Billion Wipeout

The attackers used a classic DeFi exploit monetization strategy:

1. They deposited the fabricated rsETH tokens as collateral into Aave.
2. Using this fake collateral, they borrowed the maximum possible amount of real ETH.

Aave was left holding an unsellable bag of phantom tokens, facing a potential bad debt of $300 million. The market reaction was swift and brutal. Panic ensued, leading to a massive bank run. Within 48 hours, Aave’s Total Value Locked (TVL) collapsed by $6.6 billion—a staggering 25% drop.

Consequently, rsETH markets on Aave have been frozen, and multiple other DeFi protocols have temporarily paused their bridges to prevent further contagion.

The Fallout: 3 Recovery Scenarios by DefiLlama

The founder of DefiLlama has outlined three potential paths forward for KelpDAO and the affected users:

Scenario 1: Socialized Loss. Every user takes an 18.5% hit. The total bad debt is ~$216M. Umbrella insurance would cover $55M, Aave’s treasury would absorb $85M, and the remaining $76M would need to be borrowed or covered by liquidating AAVE tokens.
Scenario 2: Abandoning L2 Users. KelpDAO abandons rsETH holders on Layer 2 networks. Aave would be saddled with $341M of unbacked debt, leaving the protocol to decide which markets it can afford to save.
Scenario 3: Pre-Hack Snapshot. Technically difficult due to post-attack asset movements. The hacker borrowed $124M on Mainnet and $18M on Arbitrum. If these specific funds can be recovered, the final net loss would be around $91M after Umbrella coverage.

Lazarus Group: The Crypto Industry's Apex Predator

This latest $300M exploit is just another day at the office for the Lazarus Group. The North Korean syndicate has been systematically draining the crypto industry, with an alarming track record:

Ronin Bridge Hack: $625 million
Bybit Exchange Hack: $1.5 billion
WazirX Hack: $235 million
Drift Protocol Exploit (Last Month): $285 million

The KelpDAO/Aave exploit highlights a terrifying reality of modern decentralized finance: when a single protocol accepts tokens bridged from dozens of different networks, a vulnerability in any one of those networks instantly becomes a catastrophic problem for everyone.

Grow your crypto with up to 20% APY

Just deposit, relax, and watch your balance increase — securelyStart Earning

The Exploit: Creating rsETH "Out of Thin Air"

Armed with millions in "phantom" rsETH, the attackers moved to the next phase: bleeding Aave dry.

The Aave Contagion: A $6.6 Billion Wipeout

The attackers used a classic DeFi exploit monetization strategy:

1. They deposited the fabricated rsETH tokens as collateral into Aave.
2. Using this fake collateral, they borrowed the maximum possible amount of real ETH.

Consequently, rsETH markets on Aave have been frozen, and multiple other DeFi protocols have temporarily paused their bridges to prevent further contagion.

The Fallout: 3 Recovery Scenarios by DefiLlama

The founder of DefiLlama has outlined three potential paths forward for KelpDAO and the affected users:

Scenario 1: Socialized Loss. Every user takes an 18.5% hit. The total bad debt is ~$216M. Umbrella insurance would cover $55M, Aave’s treasury would absorb $85M, and the remaining $76M would need to be borrowed or covered by liquidating AAVE tokens.

Scenario 2: Abandoning L2 Users. KelpDAO abandons rsETH holders on Layer 2 networks. Aave would be saddled with $341M of unbacked debt, leaving the protocol to decide which markets it can afford to save.

Scenario 3: Pre-Hack Snapshot. Technically difficult due to post-attack asset movements. The hacker borrowed $124M on Mainnet and $18M on Arbitrum. If these specific funds can be recovered, the final net loss would be around $91M after Umbrella coverage.

Lazarus Group: The Crypto Industry's Apex Predator

This latest $300M exploit is just another day at the office for the Lazarus Group. The North Korean syndicate has been systematically draining the crypto industry, with an alarming track record:

Ronin Bridge Hack: $625 million

Bybit Exchange Hack: $1.5 billion

WazirX Hack: $235 million

Drift Protocol Exploit (Last Month): $285 million