Publication date: April 23, 2026

On the night of Saturday, April 18, a total of $292 million vanished from DeFi protocol Kelp DAO. This was not a traditional hack involving a stolen password, but a highly targeted assault on the infrastructure that links different blockchains. Current evidence points toward North Korea as the likely source. Moreover, the impact reaches far beyond Kelp DAO itself.

What does Kelp DAO actually do?

To understand what went wrong, it is important to first know what Kelp DAO does. The platform allows users to lock in their Ethereum, also known as "staking," to earn extra returns on it. This is done through a system called EigenLayer.

When you stake your Ethereum, in return you receive a digital "proof token" called rsETH. This token represents your deposited crypto and can be used again on other DeFi platforms to earn interest or take out loans, for example.

Because these tokens can be used on different blockchains, some sort of digital bridge is needed to move them around. Such a bridge ensures that information is sent securely from one blockchain to another. In this case, Kelp DAO used technology from LayerZero, a well-known player in this field.

Who is responsible for the hack?

After the attack, discussion immediately ensued about who was to blame. LayerZero came out with a report, stating that Kelp DAO had deliberately chosen to be less secure, despite earlier warnings.

Kelp DAO disagrees, stating that the very systems that were attacked were under the management of LayerZero. Thus, according to them, the responsibility does not lie with them.

Security experts see it more nuanced. They indicate that for years LayerZero itself offered settings and manuals that were less secure. As a result, the problem does not seem to lie with one party, but rather with how the entire system was set up.

How one hack hit the entire market

The stolen rsETH tokens were used almost immediately on Aave, one of the largest lending platforms in the crypto world. The attackers used these tokens as collateral to borrow large amounts of Ethereum.

The problem was that this collateral wasn't actually worth anything anymore. In fact, the real Ethereum was trapped in Kelp DAO's systems, which had been shut down after the hack.

This suddenly left Aave with about $190 million in loans with no real coverage. When this became known, users panicked and began withdrawing their money en masse. Within two days, the total assets on Aave dropped by nearly $9 billion. The value of the AAVE token also dropped by about 20 percent.

The problems were not limited to one platform. Other projects that used the same rsETH tokens, such as SparkLend and Fluid, temporarily shut down their systems. Big names like Ethena, Curve and Tron took extra precautions and paused parts of their systems.

The result was a chain reaction. In one day, the total value contained in DeFi platforms dropped from $99 billion to about $86 billion. So one attack caused a huge shock to the entire system.

North Korea as a suspect

According to LayerZero, the attack was likely carried out by the Lazarus Group, a well-known hacker group from North Korea. This group is known to target financial systems, especially in the crypto world.

Earlier this month, the same group reportedly captured $285 million from another platform called Drift. That attack was done in a very different way: by tricking employees into accessing internal systems.

What is striking is that this group combined different techniques. Sometimes through people, other times through technology. In total, more than $575 million was stolen in a short period of time.

North Korea has been using this type of attack as a source of income for years. The money would be used, among other things, to circumvent international sanctions and to fund its nuclear weapons program.

What this means for ordinary investors

Although the hack is technically complicated, the implications are very real. Investors who owned rsETH now have temporary tokens that are not fully backed. People who had capital on Aave were sometimes unable to withdraw their balances immediately.

But the most important lesson goes beyond this particular hack. DeFi is often presented as a safe and transparent alternative to banks. Yet this shows that there are many dependencies in the technical structure behind the scenes.

If one component fails, it can have major consequences for the entire system. And that often happens in places where the average user has no visibility.

So you don't have to make a mistake yourself to be at risk. Sometimes the risk is in the connection between platforms that you don't even consciously use.

Conclusion

The hack at Kelp DAO is not just another incident. It shows that the threat in the crypto world is still there. It's no longer just about individual hackers, but well-organized groups with a lot of resources and a long track record.

LayerZero has since announced stricter rules for the security of connected platforms. This is a step forward, but the underlying problem remains: security is still a choice in many cases, whereas it should actually be a requirement.

For investors, this means one thing: in addition to returns, it is increasingly important to understand where the risks are in the system.

Disclaimer: Investing involves risks. Our analysts are not financial advisors. Always consult an advisor when making financial decisions. The information and tips on this website are based on our analysts' own insights and experiences. They are therefore for educational purposes only.