Less than three weeks after hackers linked to North Korea used social engineering to attack cryptocurrency trading company Drift, hackers linked to the nation appear to have pulled off another major exploit with Kelp.
The attack on Kelp, a recovery protocol tied to LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting basic assumptions built into decentralized systems.
Together, the two incidents point to something more organized than a series of one-off attacks, as North Korea continues to ramp up its efforts to hijack crypto sector funds.
“This is not a series of incidents; it’s a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t go off a procurement schedule.”
More than half a billion dollars was siphoned off through the exploits of Drift and Kelp in just over two weeks.
How Kelp Broke
At its core, the Kelp exploit did not involve breaking encryption or decrypting keys. In reality, the system worked as designed. Rather, the attackers manipulated data coming into the system and forced it to trust those compromised inputs, causing it to approve transactions that never actually occurred.
“The security flaw is simple: a signed lie is still a lie,” Urbelis said. “Signatures guarantee authorship; they do not guarantee truth.”
In simpler terms, the system was checking who sent the message, not whether the message itself was correct. For security experts, this makes it less about a clever new hack and more about exploiting how the system was configured.
“This attack was not intended to break cryptography,” said David Schwed, chief operating officer at blockchain security firm SVRN. “It was about exploiting how the system was set up.”
A key issue was the choice of configuration. Kelp relied on a single verifier, essentially a verifier, to approve cross-chain messages. This is because it is faster and easier to configure, but it removes a critical security layer.
LayerZero has since recommended using multiple independent verifiers to approve transactions, similar to requiring multiple signatures on a bank transfer. Some in the ecosystem have rejected that framework, saying that LayerZero’s default configuration was to have a single verifier.
“If you have identified a configuration as insecure, do not submit it as an option,” Schwed said. “Security that depends on everyone reading the documents and doing it correctly is not realistic.”
The consequences have not been limited to algae. Like many DeFi systems, its assets are used across multiple platforms, meaning issues can spread.
“These assets are a chain of promissory notes,” Schwed said. “And the chain is only as strong as the controls at each link.”
When one link breaks, others are affected. In this case, lending platforms like Aave, which accepted the affected assets as collateral, are now dealing with losses, turning a single exploit into a broader stress event.
Decentralization Marketing
The attack also exposes a gap between how decentralization is marketed and how it actually works.
“A single verifier is not decentralized,” Schwed said. “It is a centralized decentralized verifier.”
Urbelis expresses it more broadly.
“Decentralization is not a property that a system has. It is a series of options,” he stated. “And the stack is only as strong as its most centralized layer.”
In practice, that means that even systems that appear decentralized can have weaknesses, especially in less visible layers, such as data providers or infrastructure. This is where attackers are increasingly focusing.
That change may explain the recent attack on Lazarus.
The group has begun to focus on cross-chain and recovery infrastructure, Urbelis said, the parts of cryptocurrencies that move assets between systems or enable their reuse.
These layers are critical but complex and are often found beneath more visible applications. They also tend to have large amounts of value, making them attractive targets.
If previous waves of cryptocurrency hacks focused on exchanges or obvious flaws in the code, recent activity suggests a move toward what might be called the industry’s plumbing, systems that connect everything but are harder to monitor and easier to misconfigure.
As Lazarus continues to adapt, the biggest risk may not be unknown vulnerabilities, but known ones that are not fully addressed.
The Kelp exploit did not introduce any new type of weakness. It showed how exposed the ecosystem is to relatives, especially when security is treated as a recommendation rather than a requirement.
And as attackers move faster, that gap becomes easier to exploit and much more costly to ignore.
Read more: North Korean hackers are carrying out massive state-sponsored heists to manage their economy and nuclear program.
