Over $500 million stolen in just over two weeks through the Drift and Kelp exploits, in what experts describe as an organized state-sponsored campaign.
Lazarus Group, the hacker collective linked to North Korea, has once again struck the DeFi sector with an exploit targeting Kelp, a restaking protocol integrated into LayerZero‘s cross-chain infrastructure. The attack came less than three weeks after the compromise of Drift, the crypto trading platform, also attributed to North Korean hackers. Combined, the two incidents resulted in over $500 million stolen in just over two weeks.
The attack on Kelp did not require breaking any encryption. The attackers manipulated input data fed into the system, tricking it into approving transactions that never actually took place. “The security failure is simple: a signed lie is still a lie,” said Alexander Urbelis, CISO and General Counsel of ENS Labs. “Signatures guarantee authorship, not truthfulness.” In essence, the system verified who sent the message – not whether the content was accurate.
A central element of the breach was a configuration choice: Kelp relied on a single verifier to approve cross-chain messages, a faster solution but one lacking a critical layer of security. “This attack was not about cryptography,” explained David Schwed, COO of blockchain security firm SVRN. “It was about how the system was configured.” LayerZero subsequently recommended the use of multiple independent verifiers, similar to requiring multiple signatures on a bank transfer. Schwed, however, challenged this position: “If you’ve identified a configuration as unsafe, don’t make it an available option.”
The consequences of the exploit were not limited to Kelp. Lending platforms such as Aave, which accepted the affected assets as collateral, now face potentially significant losses. Aave’s report outlines two scenarios: approximately $123 million in losses if the damage is spread across all rsETH holders, or up to $230 million if confined to Layer 2s. Arbitrum has in the meantime frozen $71 million in ether linked to the exploit.
The evolution of the Lazarus Group’s strategy – from the social engineering used against exchanges such as Kraken to exploiting structural weaknesses in DeFi – indicates that the primary threat does not come from unknown vulnerabilities, but from those already known and not adequately addressed. As Schwed observes: “Security that depends on everyone reading the documentation and applying it correctly is not realistic.”
