Kelp DAO Hack Attributed to Lazarus Group; eth.limo Domain Hijacked via Social Engineering

Gate News message, April 20 — LayerZero released preliminary findings on the Kelp DAO exploit that occurred on April 18, attributing the attack to a highly sophisticated state-backed threat actor, likely North Korea’s Lazarus Group subgroup known as TraderTraitor. The incident resulted in the loss of 116,500 rsETH tokens worth approximately $292 million, marking the largest DeFi exploit this year.

According to LayerZero’s investigation, attackers gained access to the list of RPC nodes used by LayerZero Labs’ decentralized verifier network (DVN), a system of independent entities responsible for validating cross-chain messages. Two nodes were poisoned to transmit a fraudulent message, while attackers simultaneously launched a distributed denial-of-service attack against uncompromised nodes. The forged message was accepted because Kelp DAO configured its bridge using a single 1-of-1 DVN setup with no secondary verifier to detect or reject the fraudulent transaction. LayerZero had previously advised Kelp DAO to diversify its DVN configuration. In response, LayerZero announced it will no longer sign messages for applications using 1/1 DVN configurations and is cooperating with law enforcement to track the stolen funds.

Separately, Ethereum Name Service gateway eth.limo disclosed that its domain hijacking on Friday, April 18, was caused by a social engineering attack targeting its service provider, easyDNS. An attacker impersonated an eth.limo team member and initiated an account recovery process, gaining access to the eth.limo account and modifying DNS settings to redirect traffic to Cloudflare-controlled infrastructure. The platform serves approximately two million decentralized websites using the .eth domain system. However, the Domain Name System Security Extension (DNSSEC) limited the damage by adding cryptographic verification to DNS records; because the attacker lacked the required signing keys, many DNS resolvers rejected the manipulated records, preventing malicious redirects. EasyDNS CEO Mark Jeftovic acknowledged the breach as the first successful social engineering attack against an easyDNS client in the company’s 28-year history and stated the company is implementing security improvements to prevent similar incidents.