Less than three weeks after hackers linked to North Korea used social engineering to attack cryptocurrency exchange Drift, hackers linked to the country appear to have completed another major attack using Kelp.
Attacks on Kelp, a restaking protocol tied to LayerZero’s cross-chain infrastructure, illustrate an evolution in the way North Korea-linked hackers operate, where they are not just looking for faulty or stolen credentials, but rather exploiting fundamental assumptions built into decentralized systems.
Taken together, the two incidents suggest there is something more organized than a series of one-off hacks as North Korea continues to ramp up its efforts to hijack funds from the cryptocurrency space.
“It’s not a series of events; it’s a rhythm,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t get away from a procurement plan.”
In just over two weeks, the Drift and Kelp exploit campaigns have diverted more than $500 million.
How Kelp was destroyed
Essentially, the Kelp vulnerability does not involve breaking encryption or cracking keys. The system actually works the way it was designed. Instead, attackers manipulate data fed into the system, forcing the system to rely on those compromised inputs, causing the system to approve transactions that never actually occur.
“The security failure is simple: a signed lie remains a lie,” Ubelis said. “A signature guarantees authorship; it does not guarantee authenticity.”
Simply put, the system checks who sent the message, not whether the message itself is correct. For security experts, this is less about a clever new hack and more about exploiting the way your system is set up.
“This attack was not intended to break cryptography,” said David Schwed, chief operating officer of blockchain security company SVRN. “It’s about taking advantage of the way the system is set up.”
A key issue is configuration choice. Kelp relies on a single validator (essentially a checker) to approve cross-chain messages. That’s because it’s faster and simpler to set up, but it removes a critical layer of security.
LayerZero has since proposed using multiple independent validators to approve transactions in the aftermath, similar to the multiple signatures required for bank transfers. Some in the ecosystem have pushed back against this framework, saying that LayerZero’s default setting is to have only one validator.
“If you find a configuration to be unsafe, don’t offer it as an option,” Schwed said. “Relying on everyone reading the documentation and executing it correctly for security is unrealistic.”
The effects are not limited to kelp. Like many DeFi systems, its assets are used across multiple platforms, which means problems can spread.
“These assets are a series of IOUs,” Schweder said. “The strength of the chain depends on the control of each link.”
When one link breaks, other links are affected as well. In this case, lending platforms like Aave that accepted affected assets as collateral are now facing losses, turning a single exploit into a broader stress event.
Decentralized Marketing
The attack also exposed the gap between how decentralized is marketed and how it actually works.
“A single validator is not decentralized,” Schweder said. “This is a centralized decentralized validator.”
Ubelis spoke more broadly.
“Decentralization is not a property owned by a system. It is a set of choices,” he said. “A stack is only as strong as its most concentrated layer.”
In practice, this means that even seemingly decentralized systems can have weaknesses, especially in less obvious layers such as data providers or infrastructure. These are increasingly becoming the focus of attackers.
This shift may explain Lazarus’ latest target.
Urbelis said the group has begun focusing on cross-chain and re-hypothecation infrastructure, parts of cryptocurrencies that move assets between systems or allow assets to be reused.
These layers are critical but complex and often lie beneath more visible applications. They also tend to hold a lot of value, which makes them attractive targets.
If earlier waves of cryptocurrency hacks focused on exchanges or obvious code flaws, recent activity shows a move toward so-called industry pipelines, systems that connect everything together but are harder to monitor and more prone to misconfiguration.
As Lazarus continues to adapt, the biggest risk may not be unknown vulnerabilities, but known vulnerabilities that have not yet been fully addressed.
The Kelp vulnerability does not introduce new vulnerabilities. It shows how exposed the ecosystem remains to the familiar, especially when security is treated as a recommendation rather than a requirement.
As attackers move faster, this gap becomes easier to exploit, but the cost of ignoring it becomes higher.
Read more: North Korean hackers are carrying out massive state-backed heists to run their economic and nuclear programs
