DeFi Bleeds $7B In A Day After $290M Exploit – Layer Zero Calls It Another Lazarus Hit

• The total volume locked across all DeFi protocols has tanked to $85.6 billion in 24 hours, according to DefiLlama.
• LayerZero said preliminary indicators suggested the KelpDAO hack was carried out by a “highly sophisticated state actor,” likely North Korea’s Lazarus Group.
• The attack drained roughly $290 million from rsETH, a restaked Ethereum asset issued by KelpDAO, triggering broader concerns across DeFi markets.

Decentralized finance (DeFi) is seeing one of its steepest short-term pullbacks since the 2022 market meltdown as a LayerZero (ZRO) exploit undermines investor confidence and prompts capital withdrawals.

According to DefiLlama data, total value locked (TVL) in DeFi saw a 7.7% drop to $85.6 billion in 24 hours, a drop of $7 billion in a day. After the event, LayerZero, a leading cross-chain infrastructure provider, saw volumes decrease between $2 billion and $4 billion, from almost $14 billion, indicating a severe decline in cross-chain usage.

In a detailed report, the protocol explained that the attack targeted the infrastructure used to verify cross-chain transactions, rather than exploiting a flaw in the core protocol itself. “This incident was isolated to KelpDAO’s rsETH configuration,” LayerZero said, adding that there was “zero contagion to any other cross-chain assets or applications.” 

The attack targeted rsETH, a liquid restaking token issued by KelpDAO that represents Ethereum (ETH) staked through EigenLayer and used as collateral across DeFi protocols. Because rsETH is integrated into lending and liquidity platforms, disruptions tied to the asset quickly drew wider market attention.

The exploit involved compromising external infrastructure used by LayerZero’s decentralized verifier network (DVN), enabling attackers to manipulate transaction verification. The firm said affected systems have since been replaced and the network is operational. Some have coined the exploit as “the largest DeFi exploit of 2026.”

LayerZero’s price was trading at $ 1.56, up over 0.4% in the past 24 hours, after it went down over 20% in a week. On Stocktwits, the retail sentiment around ZRO dropped to ‘bearish’ from ‘bullish’ while chatter remained at the ‘extremely high’ levels over the past day.

Suhail Kakar, an integration engineer at Polymarket, described the attack as highly sophisticated. He said attackers likely took control of key nodes used for verification and fed them manipulated data. They then disrupted healthy nodes, forcing the system to rely on the compromised ones.

Capital Flight Concerns Emerge Across DeFi

The incident has also triggered concerns about capital outflows from DeFi protocols. Wale.moca, who is reportedly a German NFT influencer, said on X that “money is leaving DeFi at an unprecedented scale,” sharing data showing sharp declines in total value locked (TVL) across multiple blockchain ecosystems over the past week.

The KelpDAO hack renewed scrutiny of interconnected DeFi systems, particularly after its impact spread to protocols that used the affected asset. Aave (AAVE), for instance, paused the rsETH-related markets following the incident. 

LayerZero emphasized that the attack stemmed from a configuration decision by KelpDAO that relied on a single-verifier setup rather than a more resilient multi-verifier model. The firm said it had previously recommended diversified configurations to avoid such single points of failure.

The incident marks the second major exploit this year linked to North Korean actors. Earlier this year, the Drift Protocol breach cost $280 million and took months of social engineering. Attackers cultivated confidence with contributors before using bad programming to steal money.

Investigators linked it to another organization connected to North Korea because of parallels in techniques and on-chain behaviour with earlier operations like the Radiant Capital breach.

Lazarus-Linked Attacks Cost Crypto $7 Billion 

The exploit adds to a growing list of attacks attributed to North Korea-linked groups targeting the crypto sector. Lazarus has been behind multiple large-scale crypto thefts, using increasingly sophisticated techniques to exploit vulnerabilities across centralized and decentralized platforms, amounting to an alleged $7 billion so far. 

One commentator on X named Galileo said, “north koreans (lazarus group) is wild man. their civilians live like a couple centuries behind but their technical capabilities seem to be a couple centuries ahead. they stole 7,000,000,000$ since the start of crypto.”

The KelpDAO incident comes following the $1.5 billion Bybit hack in 2025 by North Korea-linked actors.

Together, these incidents have intensified scrutiny on DeFi’s security architecture, with analysts warning that repeated exploits and capital outflows could weigh on investor confidence in the sector.

Read also: Strategy Drops $2.5B On Bitcoin In Biggest Buy Of Year Yet – Overtakes BlackRock’s IBIT

For updates and corrections, email newsroom[at]stocktwits[dot]com.