TechFlow reports that on May 20, LayerZero Labs released its incident report regarding the KelpDAO attack, confirming that KelpDAO’s rsETH cross-chain bridge—built atop LayerZero’s cross-chain communication protocol—was compromised, resulting in the theft of approximately 116,500 rsETH (valued at roughly $292 million). Multiple security firms—including Mandiant and CrowdStrike—as well as independent researchers, attributed the attack to the North Korea–linked hacker group TraderTraitor (UNC4899). According to the report, the attack began on March 6, 2026, when attackers used social engineering to compromise a LayerZero developer account, obtain session keys, and infiltrate the RPC cloud environment. They subsequently poisoned internal RPC node data and manipulated response outputs to deceive both monitoring systems and the decentralized verification network (DVN).
LayerZero Labs has officially announced updates to its security strategy, including prohibiting its own DVN from acting as the sole signer in any single-verification configuration. Additionally, the company will rebuild the affected cloud infrastructure and implement short-lived credentials, just-in-time privilege escalation, and multi-party approval mechanisms to strengthen security.
