$292 Million Drained by Lazarus Group: There Will Be Blood on the Walls

By Bfab | Good vibes | 20 Apr 2026

I was lucky I closed my ZRO position two weeks ago.

$292 million drained from KelpDAO in under 46 minutes. Not a smart contract bug. Not a rug. A state-sponsored cyberattack by North Korea's Lazarus Group, the same crew that took $285 million from Drift just 18 days earlier. Same unit, different method, same result: DeFi got rekt again.

The attack was surgical. They poisoned LayerZero's RPC nodes, DDoS-ed the backups to force failover onto the compromised servers, and tricked the bridge into releasing 116,500 rsETH to a wallet they controlled. By the time Kelp paused the protocol, the damage was done and the malicious software had already self-destructed, wiping every trace.

Then the dominos fell. The attacker dumped rsETH as collateral on Aave to borrow ETH at scale. Bad debt appeared. $10 billion left Aave in hours. Curve, Ethena, Tron DAO, Lido all paused their LayerZero bridges. DeFi TVL went from $99 billion to $86 billion in a single day. A whale holding ZRO long on Hyperliquid got partially liquidated for $2.88 million and is still holding, bleeding.

$575 million stolen from DeFi in 18 days. Two attacks. Two completely different vectors. These guys are not slowing down, they are accelerating.

Now LayerZero and Kelp are pointing fingers at each other. LayerZero says Kelp ignored warnings to run multi-verifier redundancy. Kelp says the compromised infrastructure was LayerZero's own and that the single-verifier setup was the default they were onboarded with. Security researchers are siding with Kelp. It does not matter who wins the argument. $292 million is gone.

What scares me is not this specific exploit. It is the pattern. Lazarus is testing every layer of the stack. Governance. Infrastructure. RPCs. Social engineering. They are mapping DeFi's attack surface in real time and they are clearly funded and patient enough to spend months preparing each hit.

The collateral damage is spreading well beyond bridge users. Aave LPs are sitting on uncertainty about bad debt that has not been fully quantified yet. GMX and dYdX traders are watching their collateral assets reprice in real time as ETH and restaked derivatives swing on panic selling. Jupiter perp users on Solana are exposed to the same dynamic every time a Solana-adjacent protocol gets hit, as we saw with Drift. Synthetix vaults holding diversified DeFi collateral absorb the volatility whether they want to or not. Pendle yield positions on rsETH are essentially worthless until the peg question is resolved. Anyone farming on Convex or Yearn with strategies touching Aave or Curve pools just had their yield assumptions repriced overnight.

If you are trading perps anywhere right now, you need to think about what happens the next time a bridge connected to a token in your book gets drained. The liquidation cascade is not theoretical anymore. We just watched it happen live.

There is going to be blood on the walls before this wave is over. The only question is whose.

DeFi ETH Aave Layerzero ZRO

How do you rate this article?

19
Bfab
Bfab

Thinking too much?

Good vibes
Good vibes

I love sharing

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
The weather is changeable, but pleasant because it's Friday - My Actifit Report Card: June 12, 2026 The weather is changeable, but pleasant because it's Friday - My Actifit Report Card: June 12, 2026
marianomariano68

marianomariano68

8 hours ago
1 minute read

TON Becomes Gram: A Return to the Original Vision? TON Becomes Gram: A Return to the Original Vision?
CondividiSulWeb

CondividiSulWeb

14 hours ago
3 minute read

Beyond the Crypto Hype: How a Greek Engineer is Democratizing DNA Testing via Open Source Hardware Beyond the Crypto Hype: How a Greek Engineer is Democratizing DNA Testing via Open Source Hardware
Chriss Gkesios

Chriss Gkesios

14 hours ago
2 minute read