Svmuu reports that LayerZero Labs has released a recent incident report stating that on April 18, 2026, the KelpDAO rsETH cross-chain bridge, built on its cross-chain communication protocol, suffered an attack resulting in the theft of approximately 116,500 rsETH (around $292 million). Multiple security organizations, including Mandiant, CrowdStrike, and independent researchers, have attributed this attack to the North Korea-linked hacker group TraderTraitor (UNC4899).
According to the report, the attack began on March 6, 2026. The attackers compromised a LayerZero developer account through social engineering, obtained session keys, and penetrated the RPC cloud environment. They further contaminated internal RPC node data and manipulated the returned results to deceive monitoring systems and the Decentralized Verification Network (DVN). Subsequently, the attackers launched a denial-of-service attack against external RPC providers, forcing the verification system to rely on the compromised nodes to generate forged cross-chain proofs, thereby successfully extracting the funds.
LayerZero pointed out that the core vulnerability of this incident lay in the affected application adopting a "single-verifier" configuration. This allowed the target contract to execute asset releases upon receiving only a single valid signature, leading to the theft of rsETH.
Following the incident, LayerZero Labs announced an adjustment to security policies. This includes no longer allowing its own DVN to act as the sole signer in a single-verifier configuration, rebuilding the affected cloud infrastructure, and introducing short-term credentials, instant permission upgrades, and multi-party approval mechanisms to enhance security. Additionally, zeroShadow and law enforcement agencies have initiated investigations and asset tracing. LayerZero stated it will continue to collaborate with ecosystem partners to strengthen the cross-chain security framework to address increasingly sophisticated nation-state attack threats.