Anouncement
Anouncement
The Lazarus Group crypto hack on Kelp DAO is one of the most alarming DeFi security breaches of 2025, and the details emerging are as sophisticated as they are sobering. North Korea’s state-sponsored hacking collective — responsible for billions in stolen digital assets over the past decade — has once again demonstrated that no protocol is too large or too well-regarded to be a target. For anyone participating in decentralized finance, this event is a wake-up call that demands attention.
According to reporting by Wired, Lazarus Group has stolen upwards of $3 billion in cryptocurrency since its operations began targeting the crypto sector. Their methods have grown increasingly refined — blending social engineering, supply-chain infiltration, and smart contract exploitation into multi-layered attacks that are extremely difficult to detect in real time. The Kelp DAO incident follows that same playbook, with devastating results.
In this post, we break down exactly what happened, how the attack was structured, what it means for DeFi security, and — most importantly — what you can do to better protect your on-chain assets going forward.
Kelp DAO is a liquid restaking protocol built on top of Ethereum’s restaking ecosystem, allowing users to deposit assets like stETH and receive rsETH tokens in return. At its peak, the protocol held hundreds of millions of dollars in total value locked (TVL), making it a high-value target for sophisticated threat actors. The more liquidity a protocol holds, the more attractive it becomes to state-sponsored groups with the tools to exploit it.
Liquid restaking is a relatively new primitive in DeFi — it layers additional yield opportunities on top of already-staked Ethereum. That novelty means the codebase is often less battle-tested than older protocols, and edge cases in smart contract logic can go undetected through standard audits. Lazarus Group appears to have identified exactly one of those edge cases and engineered an exploit around it.
The protocol had undergone audits, as most reputable DeFi projects do. But audits are snapshots in time — they cannot anticipate every future attack vector, especially when adversaries have nation-state resources and months to study a target. Understanding how DAOs are structured is essential context here; if you want a foundational primer, our guide on what a DAO is and how it works is a great starting point.
Pro Tip: Before depositing into any DeFi protocol, check whether it has undergone multiple independent audits — and read the audit reports yourself, not just the summary headlines.
Based on on-chain forensics shared by blockchain security researchers, the Lazarus Group crypto hack appears to have involved a combination of contract-level manipulation and compromised developer credentials. Investigators traced the initial breach to a vulnerability in how the protocol processed certain withdrawal and minting interactions — a flaw that allowed the attacker to mint far more rsETH tokens than their deposited collateral should have permitted.
Once the tokens were minted at a fraudulent ratio, the attacker rapidly converted them across multiple DEXs and bridges, fragmenting the trail across chains. This cross-chain obfuscation technique is a Lazarus hallmark — it exploits the lack of coordination between different blockchain networks’ monitoring systems to make the funds harder to freeze or track in real time.
By the time the protocol’s team and on-chain monitoring services flagged the anomalous activity, the majority of the funds had already moved through several hops. Blockchain analytics firms including Chainalysis were reportedly involved in tracing the fund flows, but recovery at this scale remains exceptionally difficult once assets cross enough bridges.
This is not Lazarus Group’s first major DeFi strike — and it almost certainly will not be their last. The group previously executed the $625 million Ronin Network hack in 2022 and the $100 million Harmony Horizon Bridge exploit the same year. Each attack has demonstrated an evolution in their tactics, with growing sophistication in how they identify protocol vulnerabilities and launder stolen funds.
What makes Lazarus uniquely dangerous is the combination of resources and patience they bring to each operation. They are not opportunistic hackers scanning for quick wins — they are a state-funded team that studies protocols for months, maps out every potential attack surface, and strikes when timing is optimal. Standard bug bounty programs and reactive security measures are simply not calibrated for this level of adversary.
For everyday DeFi users, this reality changes the risk calculus significantly. Understanding how to stay safe in Web3 is no longer optional knowledge — it is foundational. Our guide on how to stay safe in Web3 covers the essential practices every participant should be applying right now.
Pro Tip: Diversify your DeFi exposure across multiple protocols rather than concentrating large positions in any single platform — even one with a strong audit history.
The $290 million Kelp DAO hack exposes several uncomfortable truths about the current state of DeFi security. First, audit completeness is not the same as audit sufficiency — a protocol can pass multiple security reviews and still contain logic vulnerabilities that nation-state actors are uniquely equipped to find. The auditing process needs to evolve alongside the complexity of the protocols being reviewed.
Second, incident response in DeFi is still far too slow. By the time a protocol team can confirm an exploit, coordinate a pause, and communicate with users, the damage is typically done. Real-time on-chain monitoring with automated circuit breakers — systems that can pause protocol functions when anomalous patterns are detected — need to become standard infrastructure, not an afterthought.
Third, the cross-chain ecosystem’s fragmentation actively works against defenders. When an attacker can hop across Ethereum, Arbitrum, Optimism, and multiple bridges within minutes, the ability of any single team or analytics firm to intervene is severely limited. Industry-wide coordination and shared threat intelligence are not just desirable — they are necessary for the sector to mature responsibly.
If you currently have assets in liquid restaking protocols or similarly complex DeFi products, this is the right moment to reassess your exposure. That does not mean panic-withdrawing from every platform — it means being intentional about the risk profile of each protocol you participate in. Ask whether it has real-time monitoring, a credible security team, and a clear track record of transparent communication.
Hardware wallets remain one of the most effective defenses against the credential-compromise vectors that often accompany these large-scale attacks. Even if a protocol itself is exploited, using a hardware wallet ensures that your private keys were never exposed — limiting attacker access to only what was inside the protocol, not your entire wallet.
The broader DeFi landscape continues to grow rapidly, and with that growth comes both opportunity and expanded attack surface. For a grounded perspective on where decentralized finance is heading and how to participate wisely, our piece on the rise of DeFi and what it means for you offers useful framing for navigating this space with realistic expectations.
The Lazarus Group crypto hack on Kelp DAO refers to a $290 million exploit of the Kelp DAO liquid restaking protocol in 2025, attributed to North Korea’s state-sponsored hacking group, Lazarus. The attackers exploited a vulnerability in the protocol’s rsETH token minting logic to drain funds before moving them across multiple blockchains to obscure the trail.
Lazarus Group has been linked to some of the largest crypto thefts in history, including the $625 million Ronin Network hack and the $100 million Harmony Horizon Bridge exploit. The Kelp DAO incident fits the same pattern: exploiting novel protocol logic, rapid multi-chain fund movement, and sophisticated laundering techniques. Each successive attack shows an evolution in their capabilities.
Investigators believe the attackers identified a flaw in how Kelp DAO’s smart contracts processed rsETH minting, allowing them to receive far more tokens than their deposited collateral warranted. They then rapidly converted those tokens across DEXs and bridged the funds across multiple blockchain networks to fragment the transaction trail and impede recovery efforts.
Recovery is extremely difficult once funds are moved through multiple cross-chain bridges and obfuscated via DEX swaps. Blockchain analytics firms like Chainalysis can trace fund flows, and in rare cases centralized exchanges have frozen wallets — but nation-state-level laundering operations are specifically designed to circumvent these measures. The majority of funds from past Lazarus attacks have not been recovered.
The most effective protections include using a hardware wallet to keep private keys offline, diversifying across multiple protocols rather than concentrating in one, researching a protocol’s audit history and security team before depositing, and staying alert to community communications during market anomalies. No single measure is foolproof, but layering these practices significantly reduces individual risk.
Liquid restaking as a category is not inherently unsafe, but the Kelp DAO incident highlights that newer, more complex protocols carry higher smart contract risk than established ones. If you participate in liquid restaking, research whether the specific protocol has undergone comprehensive audits, has an active security program, and maintains transparent communication with its community.
The Lazarus Group crypto hack on Kelp DAO is not just a story about $290 million lost — it is a signal that the DeFi sector’s security infrastructure has not yet caught up with the sophistication of its most capable adversaries. Nation-state-sponsored hacking groups are not going to slow down as the value locked in decentralized protocols continues to grow. The industry needs to respond with proportional urgency: better auditing, real-time monitoring, cross-protocol coordination, and genuine transparency with users.
For individual participants, the lesson is equally clear. Understanding the protocols you use, practicing basic on-chain hygiene, and staying informed about emerging threats are no longer optional activities — they are the baseline of responsible Web3 participation. The tools and knowledge to do this well are more accessible than ever.
We believe that a safer, more transparent Web3 ecosystem is achievable — and that the platforms and communities built on those values will be the ones that endure. Explore what we have built at attn.live.
