LayerZero Labs KelpDAO Incident Report
Contents
LayerZero Labs KelpDAO Incident Report
May 18, 2026
Executive Summary
On April 18, 2026, the KelpDAO rsETH bridge, built on the LayerZero crosschain messaging
protocol, was attacked, resulting in the loss of 116,500 rsETH (approximately $292 million).
Mandiant, CrowdStrike, and independent security researchers all attribute the attack to
DPRK threat actor TraderTraitor also known as UNC4899.
The breach began on March 6, 2026, when an attacker socially engineered a LayerZero
Labs developer to harvest session keys, pivot into LayerZero's RPC cloud environment, and
poison internal RPC nodes — RPC (Remote Procedure Call) nodes are servers that respond
to queries about blockchain state. The attacker patched the running RPC memory with a
program that returned correct responses to the LayerZero monitoring tools and tampered
RPC responses to the LayerZero Labs DVN (Decentralized Verifier Networks). To further
facilitate the attack, the attacker executed a Denial of Service (DoS) attack against an
external RPC provider, forcing the LayerZero Labs DVN signing service to rely exclusively
on two compromised …
May 18, 2026
Executive Summary
On April 18, 2026, the KelpDAO rsETH bridge, built on the LayerZero crosschain messaging
protocol, was attacked, resulting in the loss of 116,500 rsETH (approximately $292 million).
Mandiant, CrowdStrike, and independent security researchers all attribute the attack to
DPRK threat actor TraderTraitor also known as UNC4899.
The breach began on March 6, 2026, when an attacker socially engineered a LayerZero
Labs developer to harvest session keys, pivot into LayerZero's RPC cloud environment, and
poison internal RPC nodes — RPC (Remote Procedure Call) nodes are servers that respond
to queries about blockchain state. The attacker patched the running RPC memory with a
program that returned correct responses to the LayerZero monitoring tools and tampered
RPC responses to the LayerZero Labs DVN (Decentralized Verifier Networks). To further
facilitate the attack, the attacker executed a Denial of Service (DoS) attack against an
external RPC provider, forcing the LayerZero Labs DVN signing service to rely exclusively
on two compromised …
IoC
http://relay.damus.io:443
https://api.nostr.watch:443/v1/online
http://github.com/pi2infra-can-4/gtn-candidate-repo.git
http://relay.nostr.band:443
http://registry.hashicorp-aws.com/hashicorp/awsbeta
http://commsouthindia.com
http://nos.lol:443
http://relay.snort.social:443
http://offchain.pub:443
http://nostr.oxtr.dev:443
https://github.com/kubo/funchook
http://nostr.mom:443
http://api.telegram.org
https://io.caiai.net/staticscandatav15/upload
https://technicais.sytes.net/statics/v11/a83f7fua93
https://diagnose.hashicorp-aws.com/plugins/grpc/v6/sc
589dEDbD617e0CBcB916A9223F4d1300c294236b
1f7A03b70C5448DFd0a2C5a7865169253c2C769b
1a44076050125825900e736c501f859c50fE728c
https://api.nostr.watch:443/v1/online
http://github.com/pi2infra-can-4/gtn-candidate-repo.git
http://relay.nostr.band:443
http://registry.hashicorp-aws.com/hashicorp/awsbeta
http://commsouthindia.com
http://nos.lol:443
http://relay.snort.social:443
http://offchain.pub:443
http://nostr.oxtr.dev:443
https://github.com/kubo/funchook
http://nostr.mom:443
http://api.telegram.org
https://io.caiai.net/staticscandatav15/upload
https://technicais.sytes.net/statics/v11/a83f7fua93
https://diagnose.hashicorp-aws.com/plugins/grpc/v6/sc
589dEDbD617e0CBcB916A9223F4d1300c294236b
1f7A03b70C5448DFd0a2C5a7865169253c2C769b
1a44076050125825900e736c501f859c50fE728c