North Korean Hackers Use LayerZero in $293M Kelp DAO Theft

Key Point

North Korean hackers stole $293 million from Kelp DAO by compromising an application built on LayerZero. The compromised application accepted a fake message that instructed it to release the funds to the attackers. The attackers then used LayerZero again to move part of the stolen funds across blockchains, making this the first documented case in which the same app was used for both the exploit and part of the laundering route. Onchain records show at least $500,000 moved through LayerZero. Arbitrum’s Security Council took back about $71 million that North Korean operatives had sent to the blockchain.

Why it matters: When attackers can exploit a bridge-connected application and then reuse the same routing stack to move funds, confidence in cross-chain infrastructure may weaken and pressure for tighter controls may rise.

Market Sentiment

Bearish, Stress-on, Event-driven, De-risking.

Reason: A $293 million theft tied to North Korean hackers points to operational weakness in bridge-connected infrastructure and may keep users cautious.

Similar Past Cases

A similar pattern appeared in the Ronin bridge exploit. The attack drained about $625 million, and the bridge reopened three months later after audits with users made whole. (CoinDesk) The difference is that the current case also used the same interoperability stack as part of the laundering route. (coindesk.com)

Ripple Effect

Bridge-connected applications may face tighter internal controls because the weak point can sit in the operating layer, not only in smart contract code. If more bridges start blocking identified wallets or slowing routes after this theft, then cross-chain liquidity could become more fragmented. That fragmentation could raise friction for users and push activity toward systems seen as easier to secure.

Opportunities & Risks

Opportunities: If bridge operators expand wallet blocking or recovery steps after this theft, then stabilization in affected ecosystems can be a potential re-entry signal for cross-chain risk appetite. Watching whether Arbitrum-style recovery actions spread can help separate containment from ongoing leakage.

Risks: If more projects disclose operational weaknesses around bridge-connected apps or more laundering routes stay open, then reducing exposure to protocols that rely heavily on cross-chain messaging can limit downside from another confidence shock. Watching whether LayerZero-related controls tighten further is a practical stress check.