Users pulled nearly $6bn from Aave over the weekend after North Korea-linked hackers reportedly drained roughly $292mn from the Kelp restaking platform in what ranks as one of the largest DeFi exploits of 2026 so far.
Aave Hit by $6bn Outflows After North Korea-Linked $292mn Kelp Hack
20 April 2026 - 09:47 CEST
Kelp DAO operates as a liquid restaking platform that issues rsETH, or restaked Ether. This token allows users to earn higher yields on their staked Ether by adding extra layers of staking, such as through EigenLayer. On 18 Apr, the platform lost about 116,500 rsETH – roughly 18% of the token’s total supply – when attackers stole the tokens through a LayerZero-powered bridge. The thieves then used the stolen rsETH as collateral on Aave to borrow wrapped Ether, known as wETH, creating bad debt estimated between $177mn and $196mn.
Aave, the largest decentralized finance lending protocol, saw its total value locked (TVL) drop sharply from around $26bn to roughly $20bn as depositors spooked by contagion fears withdrew funds. The AAVE token fell nearly 20%, trading near $92 as of early 20 Apr. The protocol paused rsETH-related markets on its V3 and V4 deployments while stressing that its core contracts were not directly compromised.
How the exploit unfolded
Attackers targeted two remote procedure call nodes – special servers that allow applications to communicate with blockchains – used by LayerZero’s verifier. They also launched a distributed denial-of-service attack, or DDoS, to force a failover. This allowed them to send a fraudulent cross-chain message that tricked Kelp into releasing unbacked rsETH.
Kelp relies on LayerZero for verifying transactions and moving assets across more than 20 networks. Bridges are the infrastructure that enable data and asset transfers between different blockchains. Messaging layers such as LayerZero act as traffic controllers for these transfers. LayerZero has noted that the exploit succeeded partly because of Kelp’s single-verifier configuration, despite earlier recommendations to implement a stronger multi-verifier setup. Kelp immediately paused contracts, deposits, withdrawals and oracle functions – systems that provide external data to smart contracts – as it works with LayerZero, Unichain, auditors and external security teams.
North Korean group strikes again
Blockchain analysts and LayerZero have attributed the attack with high confidence to TraderTraitor, a subunit of the North Korea-backed Lazarus Group. The operation’s tactics – including infrastructure compromise rather than direct smart contract exploits – match the group’s established playbook.
This follows a similarly sized incident on 1 Apr, when the Solana-based perpetuals protocol Drift lost about $285mn in an attack also linked to North Korean hackers via social engineering and privileged access. The two operations have extracted more than $575mn from DeFi platforms in under three weeks.
Impact on DeFi confidence
The rapid outflows and bad debt have shaken sentiment toward restaking strategies and cross-chain infrastructure. Users are concerned about potential cascading liquidations – forced sales of collateral when loans become undercollateralized – elevated borrowing costs and frozen yields across interconnected products.
Restaking protocols like Kelp build on base assets such as staked Ether to generate extra returns through layered staking. While Aave founder Stani Kulechov noted that rsETH held limited borrowing power in certain deployments, the speed of the liquidity flight highlighted systemic interdependencies in modern decentralized finance yield products.
Market participants are closely watching for further liquidations, potential Aave governance actions and any recovery or compensation initiatives from Kelp. The episode highlights persistent challenges in bridge security, messaging protocol dependencies and scaling decentralized finance without single points of failure.
