Less than three weeks after hackers linked to North Korea used social engineering to target crypto trading firm Drift, it appears hackers linked to the nation have pulled off another major exploit with Kelp.
The attack on Kelp, a restaking protocol tied to LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting the fundamental assumptions built into decentralized systems.
Taken together, the two incidents point to something more organized than a series of isolated hacks as North Korea continues to escalate its efforts to hijack funds from the crypto sector.
“This is not a series of incidents; it’s a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t patch your way out of a shopping plan.”
More than $500 million was raised across the Drift and Kelp businesses in just over two weeks.
How Kelp was mined
At its core, the Kelp exploit did not involve breaking encryption or cracking keys. The system actually worked as designed. Rather, the attackers manipulated the data entered into the system and forced it to trust the compromised inputs, causing it to approve transactions that never actually took place.
“The security flaw is simple: a signed lie is still a lie,” Urbelis said. “Signatures guarantee authorship; they do not guarantee truth.”
Simply put, the system checked who sent the message, not whether the message itself was correct. For security experts, that makes this less about a clever new hack and more about exploiting how the system was set up.
“This attack was not about breaking cryptography,” said David Schwed, COO of blockchain security firm SVRN. “It was about taking advantage of how the system was set up.”
A key issue was a configuration choice. Kelp relied on a single verifier, essentially a checker, to approve messages across chains. That’s because it’s faster and simpler to set up, but it removes a critical layer of security.
LayerZero has since recommended using multiple independent verifiers to approve transactions in the fallout, similar to requiring multiple signatures on a bank transfer. Some in the ecosystem have pushed back on that framing, saying that LayerZero’s default setup was to have a single verifier.
“If you’ve identified a configuration as unsafe, don’t send it as an option,” Schwed said. “Security that depends on everyone reading the documents and getting it right is not realistic.”
The fallout is not limited to Kelp. Like many DeFi systems, its assets are used across multiple platforms, meaning problems can spread.
“These assets are a chain of IOUs,” Schwed said. “And the chain is only as strong as the controls at each link.”
When one link breaks, others are affected. In this case, lending platforms like Aave, which accepted the affected assets as collateral, are now dealing with losses, turning a single exploit into a broader stress event.
Decentralization of marketing
The attack also reveals a gap between how decentralization is marketed and how it actually works.
“A single verifier is not decentralized,” Schwed said. “It’s a centralized decentralized verifier.”
Urbelis expresses it more broadly.
“Decentralization is not a feature a system has. It is a series of choices,” he said. “And the stack is only as strong as its most centralized layer.”
In practice, this means that even systems that seem decentralized can have weak points, especially in the less visible layers such as data providers or infrastructure. This is increasingly where the attackers are focusing.
That shift may explain Lazarus’ recent targeting.
The group has begun resetting across chains and rebuilding infrastructure, Urbelis said, the parts of crypto that move assets between systems or allow them to be reused.
These layers are critical but complex, often sitting beneath more visible applications. They also tend to have large amounts of value, making them attractive targets.
If previous waves of crypto hacks focused on exchanges or glaring code errors, the latest activity suggests a move toward what could be called the industry’s plumbing, the systems that connect everything but are harder to monitor and easier to misconfigure.
As Lazarus continues to adapt, the greatest risk may not be unknown vulnerabilities, but known ones that are not fully patched.
The kelp exploitation did not introduce a new form of weakness. It showed how vulnerable the ecosystem remains to the familiar, especially when security is treated as a recommendation rather than a requirement.
And as attackers move faster, that hole becomes both easier to exploit and far more expensive to ignore.
Read more: North Korean hackers run massive state-sponsored heists to fuel their economy and nuclear program
