The North Korean hacker group Lazarus has been identified as being behind a virtual asset hacking incident worth several hundred million dollars. The incident is the largest cryptocurrency theft so far this year.
On the 20th (local time), infrastructure firm LayerZero said in a statement that the attack appeared to be the work of a "likely state-sponsored actor, the North Korean Lazarus Group." In particular, it pointed to "TraderTraitor," known as a subunit of Lazarus, as a prime suspect.
Foreign media including Bloomberg also reported that the Lazarus group attacked "KelpDAO" and stole about $292 million (about 430 billion won). KelpDAO is a decentralized finance (DeFi) project on Ethereum (ETH) that allows users to deposit virtual assets to earn staking revenue while using a liquidity token called "rsETH" in the meantime.
The hack targeted the remote procedure call (RPC) infrastructure. RPC infrastructure is the pathway that users must go through on a Blockchain to check or send assets, serving a role similar to a bank counter.
The hackers appear to have infiltrated some servers of LayerZero, a system that connects multiple Blockchains, and swapped legitimate programs with fake ones. They then attempted a distributed denial-of-service (DDoS) attack to cripple the legitimate servers, funneling user requests to servers controlled by the hackers. As a result, the system recognized forged transactions as legitimate, leading to a large outflow of assets.
KelpDAO is currently working with major exchanges and stablecoin issuers to prevent further damage. However, the hackers are known to have already concealed the stolen funds through a mixer service often called a black hole for money laundering. Experts say that in this case, recovering the full amount is effectively unlikely.
The incident has drawn criticism that the security design itself was inadequate. Systems handling large sums typically use multi-signature verification, where multiple validators check identification. But KelpDAO maintained a single-validator structure for operational convenience, with only one validator.
North Korea's virtual asset hacking is increasing every year. According to Blockchain analytics firm Chainalysis, the virtual assets siphoned off by North Korean hackers were about $660 million in 2023, about $1.34 billion in 2024, and about $2.02 billion last year, bringing cumulative losses to a staggering $6.75 billion (about 10 trillion won). The stolen funds are believed to be used for regime maintenance and nuclear development.