LayerZero Labs published its post-mortem on May 20, 2026, naming DPRK's TraderTraitor as the actor behind the year's largest DeFi exploit.

On April 18, 2026, 116,500 rsETH — roughly $292 million — was drained from the KelpDAO rsETH bridge, a cross-chain application built on LayerZero's messaging protocol. On May 20, LayerZero Labs published a full incident report co-authored with Mandiant and CrowdStrike, making it the first major cross-chain bridge attack with state-actor attribution from two elite cybersecurity firms. Both firms, alongside independent researchers at zeroShadow, attribute the attack to North Korea's TraderTraitor hacking group, also tracked as UNC4899.

The breach started six weeks before the money moved. On March 6, an attacker socially engineered a LayerZero Labs developer and harvested their session keys. From there, the attacker pivoted into LayerZero's RPC cloud environment and poisoned two internal RPC nodes — servers that respond to queries about blockchain state — patching their running memory to return clean responses to LayerZero's monitoring tools while feeding tampered data to its DVN (Decentralized Verifier Network) signing service. To eliminate the clean external fallback, the attacker executed a denial-of-service attack against an outside RPC provider, forcing LayerZero's DVN to rely exclusively on the two compromised internal nodes. The result: a valid attestation for a forged cross-chain message.

One verifier was all the attacker needed. The KelpDAO rsETH bridge was configured with a single required DVN. Because no second independent verifier was required to attest, the destination contract accepted the single attestation and unlocked the funds. No other OApps, channels, or transactions on LayerZero were compromised — the vulnerability was specific to this application's configuration.

LayerZero has changed that policy. Going forward, its DVN will refuse to sign as the sole required attestor on any channel. The affected cloud environment was torn down entirely — not patched — and rebuilt on hardened baselines with no legacy credentials carried over. Privileged access now requires just-in-time elevation with short-lived credentials, multi-person authorization for IAM changes, and device and session validation on every admin request.

The DPRK context makes this attack structurally significant, not just large. According to TRM Labs, North Korean hacking groups stole approximately $577 million in the first four months of 2026 — 76% of all crypto hack value in that period, from just two attacks (Drift Protocol on April 1 and KelpDAO on April 18). That 76% share is the highest sustained proportion on record; the comparable figure was 64% in 2025, 39% in 2024, and under 10% in 2020. The pattern is not more attacks — it is more precise targeting. TraderTraitor did not find a zero-day; it found a developer with a session key and built six weeks of infrastructure around that single access point.

What the numbers show is a structural shift in threat level. The KelpDAO attack demonstrates that North Korean actors are running multi-stage, patient operations specifically designed to defeat the monitoring and redundancy systems that cross-chain infrastructure teams rely on. A solo-DVN configuration that worked fine against unsophisticated attackers provided no meaningful resistance against an adversary willing to first compromise the verifier itself.

LayerZero is cooperating with law enforcement. Token tracking and seizure efforts are ongoing, led by zeroShadow. $75 million was frozen on Arbitrum; the remainder was laundered through THORChain, converting stolen ETH to Bitcoin in what TRM describes as a textbook TraderTraitor liquidation process.

Editor's note — unverified figure: The brief cites "$840M+ lost to DeFi hacks in the first five months of 2026 per DefiLlama." The DefiLlama hacks page (defillama.com/hacks) returned a 403 during verification, and web search quota was exhausted. The TRM Labs primary source confirms $760M implied total through April (derived: $577M = 76% of all losses). The $840M figure covering through May cannot be independently verified in this draft and has been omitted. This piece should be reviewed before publication.