kelpdao-incident-report.pdf (806 KB)

A DPRK-linked TraderTraitor/UNC4899 actor stole 116,500 rsETH, worth about $292 million, from the KelpDAO rsETH bridge on April 18, 2026. The intrusion began with social engineering against a LayerZero Labs developer on March 6, enabling session-key theft, access to the RPC cloud environment, and poisoning of internal RPC nodes. The attacker patched live RPC memory to satisfy monitoring tools while feeding tampered responses to the LayerZero Labs DVN, then used a DoS against an external RPC provider to force reliance on two compromised internal nodes. KelpDAO’s single-verifier configuration allowed one valid attestation to unlock rsETH, while the excerpt states no other OApps, channels, or transactions were compromised.