Kelp DAO: $292M Bridge Exploit, $9B Panic Withdrawal, Circle Sued

Lazarus Group spoofed a LayerZero message and walked off with 18% of all rsETH. Aave triggered a $9B panic withdrawal. Circle got sued.

Kelp DAO's $292M LayerZero bridge exploit became 2026's largest DeFi hack

On April 18, 2026, Kelp DAO became the year's largest DeFi disaster. An attacker spoofed a single LayerZero message and walked off with 116,500 rsETH worth $292 million. That is roughly 18 percent of the entire circulating supply of the restaked Ethereum token. The exploit edged out the Drift Protocol heist by a few million and crowned 2026 the worst year for DeFi hacks since the Bybit bloodbath.

Kelp DAO operated as a liquid restaking protocol. Users deposited Ethereum staking derivatives like stETH or cbETH and received rsETH in return. The token earned EigenLayer restaking rewards while remaining liquid enough to use as collateral elsewhere in DeFi. The whole thesis depended on one assumption: the bridge holding the underlying ETH would never break.

It broke at 18:21 UTC. The attacker had funded a fresh wallet through Tornado Cash about ten hours before the strike. They then tricked LayerZero's EndpointV2 contract into believing a legitimate cross-chain instruction had arrived from another network. The fake message commanded Kelp's bridge to release 116,500 rsETH directly to the attacker's address. The bridge complied. Smart contract code did exactly what it was told.

The first transaction hit 1 minute and 48 seconds after the attack started. Full consolidation into the attacker's wallet took just under two hours. By the time Kelp's emergency team paused contracts protocol-wide, the money was already moving.

This is where it gets ugly. The attacker did not just sell the stolen rsETH. They used it as collateral. Across multiple DeFi platforms, mostly Aave, they borrowed approximately $236 million against tokens they knew were about to lose their peg. SparkLend and Fluid had exposure too.

Then the contagion hit. rsETH holders panicked. They tried to redeem into ETH. The peg started cracking. Aave lenders, watching collateral evaporate, raced for the exits. The Aave insurance fund held somewhere between $80 million and $100 million. The exposure was nearly $200 million. The math did not work.

What followed was a $9 billion panic withdrawal across Aave, SparkLend, and Fluid combined. Stablecoin lenders could not get their funds out. Stablecoin interest rates on DeFi platforms spiked to roughly 10 percent overnight as supply collapsed and demand surged. The pattern matched the Cream Finance contagion of 2021 and the Curve Finance scare of 2023, but bigger.

Arbitrum tried to play hero. The Layer 2's Security Council exercised emergency powers and froze 30,766 ETH worth roughly $71 million linked to the exploit. About four hours after the freeze, the hacker started moving the unfrozen funds on Ethereum mainnet. Then Arbitrum's DAO voted to unfreeze the rest. A US court blocked them. The 30,766 ETH had been linked to North Korea, and a federal judge was not about to let a DAO vote release funds bound for the DPRK.

TRM Labs confirmed the attribution. Lazarus Group. Same hackers behind the Bybit heist. Same hackers behind Drift two weeks earlier. Combined with Drift, North Korea now accounted for 76 percent of all 2026 hack losses through April with just two attacks worth $577 million. The hermit kingdom was running the global crypto crime budget.

The laundering was textbook DPRK. About $175 million of the unfrozen total was swapped to Bitcoin, mostly through THORChain - the same cross-chain liquidity protocol with no KYC that processed the vast majority of the Bybit proceeds in 2025. Umbra, an Ethereum privacy tool, scrambled the wallet linkages. BitTorrent moved fragments. The trail was deliberately messy. According to TRM, Chinese intermediaries handled most of the actual cleanup, not the North Koreans themselves.

Then the lawsuits started. Circle, the issuer of USDC, got hit with a class-action lawsuit for failing to freeze stolen USDC during the bridging window. Same complaint as Drift. Same window of corporate inaction during US business hours. Same selective enforcement. ZachXBT had pointed it out during Drift. Now it was happening again, and the lawyers had received the message.

The collateral damage spread fast. Aave, SparkLend, and Fluid froze rsETH markets across more than 20 chains where Kelp had bridged liquidity. The cross-chain float that had been the protocol's selling point became the protocol's nightmare. Users on Layer 2s and sidechains suddenly had no idea whether their rsETH was backed by anything real.

Vercel, the web infrastructure provider that hosts dozens of crypto frontends, disclosed a security breach the same weekend. Customer API keys may have been exposed. Solana DEX Orca rotated all deployment credentials as a precaution. Whether the two events were connected remained unclear, but the timing made every DeFi team in the world rotate keys at 3 AM.

As of May 2026, the $292 million remains largely unrecovered. The 30,766 ETH frozen by Arbitrum sits in legal limbo while courts argue over jurisdiction. The bulk of the laundered funds have already converted to Bitcoin and moved beyond reach. The class action against Circle is in early discovery. Kelp DAO is technically operational but rsETH still trades below peg on multiple chains. The liquid restaking thesis, the hot DeFi narrative of 2024 and 2025, took a wound it has not recovered from.

Lazarus Group is now $577 million richer in 2026 alone. Two heists. Same playbook. Same enabler. The DPRK has stolen over $6 billion in attributed crypto incidents since 2017. The Kelp DAO hack tells you exactly how much that number will keep growing.