Crypto World
$290M Kelp DAO Breach Tied to Lazarus Group and Weak Bridge Security
Key Takeaways
- Approximately $290–293 million was stolen from Kelp DAO following a sophisticated attack on RPC nodes connected to LayerZero’s verification system
- Kelp DAO allegedly disregarded LayerZero’s security recommendations to implement multiple verifiers, operating with only one verifier
- Preliminary evidence points to North Korea’s Lazarus Group as the perpetrators behind this security breach
- Nine DeFi platforms, most notably Aave, experienced cascading damage, with Aave’s total value locked declining by $6 billion
- Moving forward, LayerZero has declared it will refuse to support applications operating with single-verifier configurations
In what represents one of 2026’s most significant decentralized finance security breaches, Kelp DAO suffered losses totaling approximately $290–293 million during a weekend attack. LayerZero, the cross-chain messaging protocol utilized in the incident, has attributed the vulnerability to Kelp’s infrastructure decisions.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
The breach focused on Kelp’s rsETH token transfer mechanism across different blockchain networks. Operating with a single-verifier architecture meant only one authority needed to validate cross-chain transfers. According to LayerZero, the company had explicitly cautioned Kelp about this configuration and urged adoption of multiple independent verification sources.
LayerZero: KelpDAO Loses ~$290M in Exploit, Attributed to DPRK’s Lazarus Group
LayerZero reported that on April 18, 2026, KelpDAO suffered an exploit resulting in losses of approximately $290M, preliminarily attributed to DPRK’s Lazarus Group (TraderTraitor). The attack poisoned… pic.twitter.com/mfhQRaC2p9
— Wu Blockchain (@WuBlockchain) April 20, 2026
The hackers infiltrated two remote procedure call nodes—specialized servers enabling software to interact with blockchain data. These legitimate nodes were replaced with compromised versions that delivered fraudulent information to LayerZero’s verification system while maintaining normal appearances to other infrastructure components.
Since LayerZero’s verification process also consulted legitimate external nodes, the attackers launched a distributed denial-of-service campaign to disable those systems. This tactic redirected network traffic through the compromised infrastructure during a 80-minute window from 10:20 a.m. to 11:40 a.m. Pacific Time on Saturday.
When the failover mechanism activated, the malicious nodes transmitted confirmation of a legitimate transaction to the verifier. Kelp’s bridge protocol subsequently released 116,500 rsETH to the attackers’ wallets. The hostile software then eliminated itself, erasing all forensic evidence from the affected servers.
Cascading Impact Throughout DeFi Ecosystem
The stolen rsETH tokens were deployed as collateral across various lending platforms, enabling the attackers to withdraw genuine assets. Aave, the dominant decentralized lending platform, absorbed the most substantial damage.
Aave found itself holding illiquid rsETH collateral while valuable assets such as ETH had already been extracted through borrowing mechanisms. Aave’s native token plummeted approximately 15% within a 24-hour period, while the protocol experienced roughly $6 billion in withdrawals as participants scrambled to remove their funds.
No fewer than nine DeFi applications experienced damage, including Fluid, Compound Finance, SparkLend, and Euler. Cybersecurity firm Cyvers characterized the incident as a “cross-protocol contagion event” extending far beyond a single platform vulnerability.
With preliminary confidence, LayerZero has connected this attack to North Korea’s Lazarus Group, specifically its TraderTraitor division. This same organization was implicated in the $285 million Drift Protocol breach on April 1, indicating Lazarus has extracted over $575 million from decentralized finance within an 18-day period using two distinct attack methodologies.
Security Protocol Adjustments
LayerZero reports no evidence of vulnerability spreading to applications operating with multi-verifier architectures. The company has restored its verification service and announced a permanent policy refusing to process messages for any application utilizing single-verifier configurations.
Curve Finance founder Michael Egorov emphasized that this breach demonstrates the inherent risks of relying on solitary transaction verification sources. He additionally cautioned against utilizing cross-chain infrastructure unless operationally essential.
According to Ledger CTO Charles Guillemet, 2026 will “most likely be the worst year in terms of hacks.” Cryptocurrency-related security breach losses have already surpassed $482 million during Q1 2026.
Kelp has remained silent regarding LayerZero’s version of events and has not addressed why the protocol continued operating with a single-verifier architecture despite receiving explicit security warnings.
Traditional banks could see their market dominance challenged by the rise of stablecoins and tokenized real-world assets as these digital currencies move beyond their current niche uses.
Summary
- Moody’s Investors Service suggests that the disruption risk for the banking sector remains limited at this stage because current U.S. rules prevent stablecoins from paying yield.
- The growth of tokenized real-world assets and stablecoins could eventually place pressure on traditional banks by causing deposit outflows and reducing their overall lending capacity.
Moody’s Investors Service Digital Economy Group associate vice president Abhi Srivastava told crypto media that stablecoin use remains “limited” for now, even though the sector’s market capitalization climbed past $300 billion by the end of last year.
While the role of these assets in cross-border commerce and on-chain finance is expanding, the existing US payment landscape is currently fast and trusted enough to keep disruption at bay.
Srivastava observed that “for the banking sector, at this stage, disruption risk appears limited,” largely because US rules prevent stablecoins from paying yield to holders.
According to him, domestic deposits are unlikely to be replaced at scale while these yield restrictions remain in place. However, long-term growth in stablecoins and tokenized RWAs—physical or financial assets represented by blockchain tokens—could eventually trigger deposit outflows.
Such a trend would reduce the lending capacity of traditional banks by placing “pressure” on their core business models, he added.
Legislative gridlock over yield and oversight
Regulatory policy regarding stablecoins has turned into a major point of contention between the crypto industry and the banking sector. The primary concern centers on yield-bearing stablecoins, which banks fear will directly compete for their customers.
This specific issue has become a major stumbling block for the Digital Asset Market Clarity Act of 2025, or the CLARITY Act.
The Digital Asset Market Clarity Act of 2025, or the CLARITY Act, has hit a wall in Congress as lawmakers struggle to balance the interests of the crypto industry with those of the bank lobby. The framework was designed to set clear rules for asset classification and regulatory oversight, but it stalled after major players like Coinbase voiced opposition to specific provisions.
The ban on yield-bearing stablecoins and a lack of legal safeguards for open-source developers remain the primary points of contention.
Banks have lobbied heavily against allowing stablecoins to offer interest, fearing such a move would trigger massive deposit outflows and sap their ability to provide loans. Srivastava warned that over time, the growth of tokenized RWAs—physical assets represented on a blockchain—could place significant “pressure” on traditional financial institutions.
Senator Thom Tillis of North Carolina recently signaled plans to introduce a compromise draft to bridge the gap between crypto firms and traditional banks. However, this updated proposal has already faced resistance and remains unreleased to the public.
Spot Bitcoin (BTC) and Ethereum (ETH) exchange-traded funds (ETFs) drew $1.27 billion in combined net inflows during the week ending April 17. This marked their strongest week since mid-January.
Across the five major spot crypto ETF products, total weekly inflows reached roughly $1.37 billion, including XRP, Solana, and Chainlink funds, a near 40% jump from the prior week.
Crypto ETF Flows Rebound After Q1 Drawdown
Bitcoin ETFs pulled in $996.38 million, while Ethereum ETFs added $275.83 million, according to SoSoValue data. Both marked the largest weekly inflows since the week of January 16.
The rebound comes after a difficult first quarter. BTC ETF assets fell nearly 35% from their $128 billion mid-January high to $83.40 billion by February 27.
In addition, ETH ETF assets dropped 46% over the same period. Now, the inflow surge has pushed total Bitcoin ETF net assets back above $100 billion.
Moreover, the move extends a third straight week of positive BTC ETF flows and a second for Ethereum products.
Follow us on X to get the latest news as it happens
The recovery was not isolated to the two largest assets. XRP ETFs took in $55.39 million, nearly matching their 2026’s peak week in mid-January. Solana funds drew $35.17 million, reversing three consecutive weeks of outflows, while Chainlink ETFs added $5.30 million.
This marked the largest inflow outside its December launch week. Notably, LINK ETFs have not recorded a single week of net outflows.
Inflows picked up on the back of easing expectations around US–Iran tensions, but the backdrop remains fragile. Sentiment could come under renewed pressure after US naval forces fired on and seized an Iranian cargo ship in the Gulf of Oman, marking a clear escalation in the conflict.
At the same time, uncertainty surrounding Iran’s participation in the upcoming talks in Islamabad has added to market caution. Geopolitical developments, including the trajectory of negotiations and potential retaliation risks, are likely to remain a key driver of market sentiment in the near term.
Subscribe to our YouTube channel to watch leaders and journalists provide expert insights
The post Crypto ETFs Haul $1.37 Billion in Biggest Week Since January 2026, Altcoins Join Rally appeared first on BeInCrypto.
Three altcoins are entering next week with fresh bullish setups on their daily charts. DeXe (DEXE) leads with a 63.8% weekly gain, while Ethena (ENA) and MemeCore (M) show technical breakouts that suggest follow-through upside.
Each chart shows a distinct setup. DEXE has cleared a key Fibonacci retracement with strong momentum, ENA has broken a multi-month downtrend line, and M is riding an exponential support curve above a confirmed breakout zone.
Altcoin to Watch: DeXe Leads the Week With a 64% Rally
DeXe (DEXE) is the strongest performer on this watchlist, up 63.8% over the last seven days. Nearly 10% of that gain came in the last two sessions, with price trading at $15.85 and sitting directly on the 0.618 Fibonacci retracement at $15.61.
The coin has already cleared the $12.50 to $13 resistance zone, a level flagged in prior DeXe coverage. That area now acts as the first support if buyers step back.
The next major target on the upside is the 0.786 retracement at $19.39. Above that level, the chart shows a final target at the 1.0 retracement near $24.20, which would mark a full recovery to the February 2025 high.
Moving Average Convergence Divergence (MACD) remains elevated and positively sloped, which continues to support momentum. However, the Relative Strength Index (RSI) has reached the upper band and is showing the first hints of bearish divergence, a shift that could signal cooling ahead.
Volume has been declining across the advance, a typical sign that the move lacks fresh participation. The uptrend could stall if new buyers do not step in at higher prices.
If momentum reverses, the first downside target is $13. The second support sits at $10.31, which is the 0.382 Fibonacci retracement and the line that would define a deeper correction.
Ethena Breaks a Multi-Month Downtrend Line
Ethena (ENA) has gained 27.1% over the past week, the second-strongest performer on this list. Price trades near $0.1162 after a short-term pullback on the day, yet the weekly structure remains constructive.
Three days ago, the price pushed above a descending trend line. That line had guided the full move from the November 11 high at $0.3603 into the April 5 low at $0.0765.
The Fibonacci retracement anchored from those two points places the first resistance at $0.1435, which is the 0.236 level. Price is consolidating just below that zone, which is marked in red on the chart.
A confirmed close above $0.1435 would open the 0.382 retracement at $0.1849 and the 0.5 retracement at $0.2184. The 0.618 retracement at $0.2519 remains the primary target for a larger breakout. That level would represent a 116% gain from current prices (green).
Volume has been rising on bullish candles, signaling stronger buyer participation. RSI has climbed out of oversold without reaching overbought, which leaves room for further upside. Other altcoins have shown similar recovery setups heading into April.
The final bullish target sits at $0.3603, the breakdown zone from November. That path is ambitious, yet the chart no longer prints fresh lower lows, and the break of the trend line is the first structural shift in months.
MemeCore Holds Breakout Support After a 24% Weekly Gain
MemeCore (M) posted a 24.2% gain over the last seven days, rounding out this week’s three altcoins. The token broke out of a multi-month resistance zone on April 16 and has since converted that zone into support.
That resistance had capped gains since September 17, 2025. It now sits between $2.80 and $3.00 on the daily chart, and a retest on April 19 confirmed the area as support.
An exponential curve drawn on the chart (black) continues to track the price from below. A break of that curve would be the first clear sign that the trend structure has shifted.
The most recent pullback tagged the 0.5 Fibonacci retracement, which sits inside the same support band. A deeper correction would shift attention to the 0.618 retracement near $2.54, the last defense for the bullish thesis. Prior MemeCore coverage tracked a similar breakout attempt earlier this cycle.
RSI shows no bearish divergence, and MACD remains constructive. Volume has been trending lower even as price extends, a divergence that suggests the rally needs fresh buyers to sustain the current pace.
The post 3 Altcoins to Watch in the 4th Week of April 2026 appeared first on BeInCrypto.
Key Takeaways
- A security breach affecting KelpDAO’s rsETH product on April 20 created cascading effects throughout Solana’s DeFi infrastructure
- Stablecoin lending platforms across the network have experienced dramatic spikes in utilization metrics
- Jupiter Lend currently shows 99% utilization with only $81 million remaining from its $421 million USDC reserves
- Both Kamino and Marginfi face severe liquidity constraints as borrowing rates exceed 8%
- The available capital for lending across Solana’s ecosystem has reached critically low levels
A security incident targeting KelpDAO’s rsETH infrastructure on April 20, 2026, has triggered widespread disruption across the Solana blockchain’s decentralized finance landscape.
The repercussions materialized quickly. Capital started evacuating from DeFi applications, creating a squeeze on stablecoin availability throughout Solana’s lending infrastructure. Multiple prominent platforms now operate with minimal reserves remaining.
Jupiter Lend faces particularly acute pressure. The protocol manages $421 million in total USDC deposits, of which $340 million has been distributed to borrowers. When factoring in mandatory reserve requirements, the platform operates at approximately 99% capacity. Current annual percentage yields for lenders stand at 4.36%.
Kamino Prime Market experiences similar stress conditions. Data indicates total USDC deposits of roughly $186.8 million against outstanding loans of $178.8 million. This configuration produces utilization approaching 96%, while lending yields have climbed to 8.92%.
Kamino’s Main Market exhibits comparable dynamics. The platform holds approximately $172 million in USDC deposits supporting $164 million in active loans. Utilization metrics hover around 95.75%, with lending returns reaching 10.2%.
Secondary Platforms Experience Significant Pressure
Marginfi data reveals USDC lending utilization at 88.32%, accompanied by lending yields of 7.65%. Save Finance, the rebranded iteration of Solend, has witnessed utilization climb beyond 70%, with corresponding lending rates at 3.9%.
These metrics demonstrate that liquidity stress extends well beyond flagship platforms. The pressure has permeated Solana’s entire lending infrastructure.
Elevated utilization percentages indicate extremely limited USDC availability for new borrowers. Users requiring access to capital face restricted options alongside escalating costs.
The constricted market conditions have additionally impacted derivative markets tracking Solana’s token valuation. Prediction markets estimating Solana above $150 during the April 13–19 window show only 0.4% probability on the affirmative side. These markets lack actual USDC trading volume, undermining their credibility as price signals.
Market Data Reveals Investor Sentiment
For April 16, certain prediction markets price Solana exceeding $100 at 100% certainty. However, with zero verifiable transaction volume supporting this figure, the indicator provides minimal analytical value.
Affirmative position shares betting on Solana reaching $150 by mid-April trade at merely 0.4 cents while offering $1 payouts upon correct resolution. This potential 250x multiplier underscores profound market doubt regarding imminent price appreciation.
The liquidity impact stemming from the KelpDAO security incident remains unresolved. Borrowing costs continue their upward trajectory as utilization persists at heightened levels throughout Solana’s primary lending protocols.
As of April 20, Kamino’s Main Market lending yield of 10.2% represents the peak rate documented among impacted platforms.
Strategy co-founder Michael Saylor has hinted at another large Bitcoin purchase, just a week after the company disclosed that it bought around $1 billion of Bitcoin in the second week of April.
Strategy disclosed last Monday that it acquired 13,927 Bitcoin for $1 billion between April 6 and 12, at an average price of $71,902 per coin, posting “Think ₿igger” the day before the filing.
However, Saylor posted “Think Even ₿igger” on X on Sunday along with a chart of Strategy’s purchase history, something he has historically done to hint at another purchase announcement.
It comes just days after the Bitcoin treasury company proposed to increase the frequency of dividend payments to stockholders in the hopes of stabilizing the price and growing demand.
In a video presentation to shareholders shared by Saylor on Friday, Strategy CEO Phong Le said the company hopes to pay dividends twice a month — on the 15th and again at the end of each month — for a total of 24 a year at the current rate of 11.5%.
“What do we think this will do, it should stabilize the price, dampen cyclicality, drive further liquidity and grow demand,” Le said.
A preliminary proxy filing was sent to the US Securities and Exchange Commission on Friday. The definitive proxy filing is expected on April 28, when voting opens to approve or reject the measure. Voting closes on June 8 at the annual shareholder meeting, with the new schedule expected to start mid-July if approved.
Strategy is proposing to pay semi-monthly dividends on $STRC, instead of monthly. No change to the annual dividend obligations or dividend rate. These proposed changes are intended to stabilize price, dampen cyclicality, drive liquidity, and grow demand. pic.twitter.com/jHFRaDz6oP
— Michael Saylor (@saylor) April 17, 2026
Demand plunging after dividend dates, said Le
Le said one of the main reasons for the proposed change was to address a drop in demand after investors were no longer eligible for the upcoming dividend, which cooled buying activity and slowed the pace of new share sales.
“If we were to move forward with paying STRC to semi-monthly, we would be in category 1, the only preferred in the world that pays semi-monthly dividends. We think this is unique and this is attractive,” he added.
The company went through dozens of iterations before settling on the semi-monthly schedule and had considered weekly and even daily dividend record dates. The NASDAQ stock exchange, which lists Strategy’s stock, follows industry rules requiring a minimum gap of ten days between the record date and the payment date, according to Le.
Related: Strategy’s Michael Saylor signals impending Bitcoin purchase
Strategy has the largest Bitcoin (BTC) stash among publicly traded companies with 780,897 coins, worth $58.2 billion, according to Bitbo. It’s also one of the most frequent buyers with regular weekly purchases.
The company’s stock (MSTR) jumped 11.8% on Friday to $166.52. It’s still down more than 47% over the past year, according to Google Finance.
Strategy’s Bitcoin buying comes despite the company sitting on significant unrealized losses on its holdings. Earlier this month, Strategy reported in its first-quarter financial results that its unrealized losses on digital assets amounted to $14.46 billion.
Gold price extended losses below $4,800 before the bulls appeared. WTI Crude oil prices are rising and could climb further higher toward $92.00.
Important Takeaways for Gold and WTI Crude Oil Prices Analysis Today
· Gold price failed to clear $4,900 and declined steadily against the US Dollar.
· There is a key bearish trend line forming with resistance at $4,815 on the hourly chart of gold at FXOpen.
· WTI Crude oil prices are moving higher above the $85.00 pivot zone.
· There is a connecting bearish trend line forming with resistance at $89.10 on the hourly chart of XTI/USD at FXOpen.
Gold Price Technical Analysis
On the hourly chart of Gold at FXOpen, the price failed to settle above $4,900 and reacted to the downside, as discussed in the previous analysis. The price traded below $4,850 and $4,800 to enter a short-term bearish zone.
There was a sharp drop below $4,750. The price settled below the 50-hour simple moving average, and RSI dipped below 40. Finally, it tested the $4,700 zone. A low was formed at $4,699, and the price is now correcting some losses.
Immediate hurdle on the upside is $4,815 or the 50% Fib retracement level of the downward move from the $4,889 swing high to the $4,699 low. There is also a key bearish trend line forming with resistance at $4,815.
The first major barrier for the bulls could be $4,830 and the 61.8% Fib retracement. A close above $4,830 could initiate a recovery wave to $4,855. An upside break above $4,855 could send Gold price toward $4,890. Any more gains may perhaps set the pace for an increase toward $5,000.
If there is no fresh increase, the price could continue to move down. Initial support on the downside is near the $4,770 level. The first key area of interest might be $4,700. If there is a downside break below $4,700, the price might decline further. In the stated case, the price might drop to $4,500.
WTI Crude Oil Price Technical Analysis
On the hourly chart of WTI Crude Oil at FXOpen, the price started a fresh increase from $79.00 against the US Dollar. The price gained bullish momentum after it broke $84.00.
There was a sustained upward movement above $84.50 and $85.00. The bulls pushed the price above the 50-hour simple moving average, and the RSI climbed toward 60. A high was formed near $89.08 before there was a minor pullback. The price declined below the 23.6% Fib retracement level of the upward move from the $78.96 swing low to the $89.08 high.
However, the bulls are active above $85.00. Immediate resistance is near a connecting bearish trend line at $89.10. If the price climbs further, it could face hurdles near $90.25.
The next major stop for the bulls might be $91.90. Any more gain might send the price toward $95.00. Conversely, the price might correct gains and test the 50% Fib retracement at $84.00. The next area of interest on the WTI crude oil chart could be $81.35.
If there is a downside break, the price might decline to $80.00. Any more losses may perhaps open the doors for a move toward $75.00.
Start trading commodity CFDs with tight spreads (additional fees may apply). Open your trading account now or learn more about trading commodity CFDs with FXOpen.
This article represents the opinion of the Companies operating under the FXOpen brand only. It is not to be construed as an offer, solicitation, or recommendation with respect to products and services provided by the Companies operating under the FXOpen brand, nor is it to be considered financial advice.
Strategy co-founder Michael Saylor is signaling another massive Bitcoin acquisition, coming on the heels of a $1 billion purchase finalized earlier this month.
Summary
- Strategy is currently sitting on the world’s largest corporate Bitcoin treasury with 780,897 coins valued at over $58 billion.
- Michael Saylor hinted at a new multi-billion-dollar Bitcoin acquisition via social media just days after the company confirmed a $1 billion purchase.
According to a Sunday post on X, Saylor shared a chart of the company’s historical buying patterns alongside the caption “Think Even ₿igger.”
The latest post follows a regulatory filing last Monday, where Strategy disclosed it had picked up 13,927 Bitcoin between April 6 and 12, which cost the company $1 billion at an average price of $71,902 per token.
Strategy currently holds the largest Bitcoin treasury of any publicly traded firm, with a total stash of 780,897 coins valued at roughly $58.2 billion.
Dividend overhaul to boost liquidity
Strategy CEO Phong Le detailed a new proposal on Friday to move the company toward a semi-monthly dividend schedule. The plan, shared in a shareholder video presentation, suggests paying out dividends on the 15th and at the end of every month.
By increasing the frequency to 24 payments a year at the current 11.5% rate, the company hopes to attract more consistent buying interest.
“What do we think this will do, it should stabilize the price, dampen cyclicality, drive further liquidity and grow demand,” Le said.
The CEO noted that the current structure often causes a drop-off in activity once investors are no longer eligible for the next scheduled payout. By switching to a semi-monthly model, the company would become the only preferred stock in the world with such a frequent distribution.
“If we were to move forward with paying STRC to semi-monthly, we would be in category 1, the only preferred in the world that pays semi-monthly dividends. We think this is unique and this is attractive,” Le added.
The proposal comes while the company manages significant paper losses. First-quarter financial results showed unrealized losses on digital assets totaling $14.46 billion. Despite these figures, investors reacted positively to the dividend news and the prospect of more Bitcoin buys, sending MSTR stock up 11.8% to $166.52 on Friday.
A preliminary proxy filing is already with the SEC, and a definitive version is expected by April 28. If shareholders approve the measure at the annual meeting on June 8, the new payment cycle will begin in mid-July. Currently, Nasdaq rules require Strategy to maintain a 10-day window between the record date and the actual payment.
Vercel, a cloud hosting provider popular among crypto projects, has confirmed that it suffered a security breach that allowed hackers to make off with a “limited” subset of customer credentials.
Vercel said in a blog post on Sunday that it “identified a security incident that involved unauthorized access to certain internal Vercel systems” and was investigating the breach.
“Initially we identified a limited subset of customers whose Vercel credentials were compromised,” it added. “We reached out to that subset and recommended an immediate rotation of credentials.”
Vercel’s confirmation came after multiple X users reported that a post on the hacking forum BreachForums by a user called “ShinyHunters” claimed to be offering Vercel’s data in exchange for $2 million.
The poster claimed to have access keys, source code, database information and employee accounts with access to internal deployments, which they said could be used for a “global supply chain attack.”
Vercel did not address the post’s claims, but said the attacker was “highly sophisticated based on their operational velocity and detailed understanding of Vercel’s systems.”
Third-party AI tool compromised to carry out hack
Vercel CEO Guillermo Rauch said on Sunday that the attack originated after a Vercel employee was compromised via a breach of an artificial intelligence tool they used called Context.ai.
The attacker was then able to compromise the Vercel employee’s Google Workspace account, allowing them access to some of Vercel’s internal systems.
Rauch said the company stores customer environments with full encryption, but it has the capability to designate variables as “non-sensitive,” and the attacker “got further access through their enumeration.”
Related: Aave’s TVL tanks $8B a day after $293M Kelp DAO hack
“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI,” he added. “They moved with surprising velocity and in-depth understanding of Vercel.”
Rauch said that Vercel had “deployed extensive protection measures and monitoring” and it had analyzed its supply chain to ensure “Next.js, Turbopack, and our many open source projects remain safe for our community.”
“My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature,” he added.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
EasyDNS has confirmed that a security failure within its own systems allowed a social engineering attacker to briefly seize control of eth.limo, a primary gateway for the Ethereum Name Service.
Summary
- An attacker impersonated an eth.limo team member to bypass account recovery protocols at easyDNS and gain control of domain settings.
- DNSSEC safeguards prevented the redirection of users to malicious sites by rejecting forged responses that lacked valid cryptographic signatures.
- EasyDNS is migrating the service to Domainsure to eliminate account recovery vulnerabilities and prevent future social engineering breaches.
The incident occurred on Friday when an attacker successfully impersonated an eth.limo team member to initiate an account recovery process, gaining the authority to modify name server records and redirect the domain to Cloudflare.
The eth.limo team, in a post-mortem published Saturday, stated that they immediately notified the community and prominent figures like Ethereum co-founder Vitalik Buterin once the DNS hijack was identified.
Serving as a bridge for roughly 2 million decentralized websites, eth.limo is a high-stakes target because a successful compromise could allow hackers to divert users to malicious pages. Buterin himself issued an urgent warning on Friday, advising his readers to avoid his blog until the team could restore secure operations.
Security extensions prevent widespread impact
EasyDNS CEO Mark Jeftovic noted that the presence of Domain Name System Security Extension (DNSSEC) played a critical role in stopping the attacker from causing further damage.
Because the hacker lacked the necessary cryptographic signing keys, modern DNS-aware resolvers rejected the forged responses, resulting in users seeing error messages rather than being funneled to phishing sites.
“We screwed up and we own it,” Jeftovic stated on Saturday, acknowledging that this was the first successful social engineering breach in the provider’s 28-year history.
The eth.limo developers highlighted in their own report that these safeguards likely reduced the “blast radius” of the hijack. While the service was disrupted, the team is currently unaware of any confirmed user impact or fund losses.
Jeftovic added that eth.limo is now being migrated to Domainsure, an enterprise-grade platform that does not offer a manual account recovery mechanism, effectively closing the loophole exploited in this attack.
The latest incident is one of the many recent infrastructure attacks hitting the crypto sector. Only days earlier, on April 14, the decentralized exchange aggregator CoW Swap lost control of its domain for several hours following a similar social engineering attack against the .fi registry, leading to an estimated loss of $1.2 million from affected users.
LayerZero says preliminary indicators point to North Korea’s Lazarus Group, specifically the TraderTraitor subgroup, as the likely actor behind the KelpDAO exploit on April 18, 2026.
The theft now ranks as the largest decentralized finance (DeFi) loss of 2026. It overtakes the $285 million Drift Protocol breach from April 1, which investigators also tied to state-backed North Korean actors.
North Korea Suspected in The Biggest Crypto Loss of 2026
In a post on X (formerly Twitter), LayerZero outlined the mechanics of the incident, describing it as a “highly sophisticated attack.”
“On April 18, 2026, LayerZero Labs’ DVN became the target of a highly sophisticated attack, likely attributable to the Lazarus Group, more specifically TraderTraitor.” the post read. “The attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions. It was not done through an exploit to the protocol, DVN, key management, or other means.”
The attribution aligns with a broader trend of increasingly complex cyber operations tied to North Korean actors. Earlier this month, Drift Protocol (DRIFT) revealed that its $285 million exploit on April 1 followed a six-month campaign also linked to state-backed entities.
US authorities have previously connected the same group to major incidents, including the $1.5 billion Bybit hack in February 2025. Data from Chainalysis further highlights the scale of the threat.
The firm revealed that North Korea-linked hackers stole a record $2.02 billion from crypto platforms in 2025, a 51% increase year-over-year, largely driven by the Bybit breach.
Follow us on X to get the latest news as it happens
Market Fallout Spreads Across DeFi
Trust across the DeFi sector has taken a visible hit since the breach. Lookonchain reported that Aave’s total value locked (TVL) fell to $17.947 billion, shedding $8.45 billion over the prior two days.
However, DeFi-wide exposure proved larger. Combined TVL across all chains slid from $99.497 billion to $86.286 billion, a $13.21 billion decline.
Aave’s native token AAVE dropped 3.84% in the past 24 hours after losing roughly 20% on Sunday. BeInCrypto highlighted that whales offloaded more than $6 million in tokens after the KelpDAO exploit.
The post LayerZero Ties KelpDAO Exploit to Lazarus Subgroup TraderTraitor appeared first on BeInCrypto.
Bayern Munich continue their dominance of the Bundesliga, claiming their 35th title
Unpacking LIV Golf’s wild week and uncertain future
Palantir posts mini-manifesto denouncing inclusivity and ‘regressive’ cultures
Why Israel is blocking foreign journalists from entering
Bitcoin: We’re Entering The Most Dangerous Phase
Alan Cumming Brands Baftas Ceremony A ‘Triggering S**tshow’
Financial Advisor Warns: 7 Money Lies You Still Believe (That’s Keeping You Broke In 2026!)
GOLD AND CRYPTO LIVE TRADING || 18 APRIL || Bitcoin Live Trading | Crypto Market Analysis |
THE TWO MOST IMPORTANT BITCOIN TRADE SETUPS FOR THIS WEEK
-
Crypto World7 days agoThe SEC Conditionalises DeFi Platforms to Be Avoided for Broker Registration
-
NewsBeat6 days agoTrump and Pope Leo: Behind their disagreement over Iran war
-
Fashion3 days agoWeekend Open Thread: Theodora Dress
-
Crypto World6 days agoSEC Signals Exemption for Crypto Interfaces From Broker Registration
-
News Videos5 days agoSecure crypto trading starts with an FIU-registered
-
Sports3 days agoNWFL Suspends Two Players Over Post-Match Clash in Ado-Ekiti
-
Crypto World6 days agoSEC Proposes Certain Crypto Interfaces Don’t Need to Register as Brokers
-
Business18 hours agoPowerball Result April 18, 2026: No Jackpot Winner in Powerball Draw: $75 Million Rolls Over
-
Crypto World2 days agoRussia Pushes Bill to Criminalize Unregistered Crypto Services
-
Politics2 days agoPalestine barred from entering Canada for FIFA Congress
-
Sports7 days agoNWFL opens Pathway for new Clubs ahead of 2026 Season
-
Business3 days agoCreo Medical agree sale of its manufacturing operation
-
Entertainment6 days agoBrand New Day’ Footage Reveals the Devastating Impact of ‘Now Way Home’
-
Politics22 hours agoZack Polanski demands ‘council homes not luxury flats for foreign investors’
-
Tech5 days agoMicrosoft adds Windows protections for malicious Remote Desktop files
-
Entertainment6 days agoKarol G’s ‘Ultra Raunchy’ Coachella Set Gave ‘Satanic Vibes’
-
Sports7 days agoAaron Judge says Yankees need to ‘simplify’ approach amid offensive slump
-
Entertainment7 days agoPete Davidson Reveals ‘Brutal’ Mom Moment That Got Him Sober
-
Entertainment6 days agoHow Babylon 5 Turned Brief Side Story Into Emotional Masterpiece
-
Tech6 days agoWhat was the first ransomware attack to demand payment in Bitcoin?
You must be logged in to post a comment Login