Crypto infrastructure company blames $290 million theft on North Korean hackers

A theft over the weekend of nearly $300 million worth of cryptocurrency has been attributed to hackers from North Korea, as the industry grapples with the fallout of a wide-ranging incident involving multiple prominent platforms. 

The attack began on Saturday afternoon when blockchain security firms reported $290 million leaving the crypto platform Kelp. The company confirmed the incident and paused activity while an investigation was conducted. 

Cyber sleuths traced the incident back to LayerZero, a cryptocurrency infrastructure developer behind a popular messaging tool allowing decentralized apps to communicate and transfer assets back and forth. 

Early on Monday, LayerZero published a lengthy post-mortem explaining that preliminary indicators suggest the complex attack was conducted by North Korea’s TraderTraitor, a well-known group of hackers within Pyongyang’s Lazarus operation. 

LayerZero said the attack was isolated to Kelp and blamed the incident on how Kelp is set up. 

LayerZero operates Decentralized Verifier Networks (DVNs) —- independent entities that verify messages sent across blockchains. The company claimed it has repeatedly warned companies like Kelp to not rely on LayerZero’s DVN as the sole entity verifying messages. 

“Industry best practice — and LayerZero's express recommendation to all integrators — is to configure a multi-DVN setup with diversity and redundancy,” the company said. “This means no single DVN should represent a unilateral point of trust or failure.”

LayerZero was the sole verifier for an application called rsETH, a specific type of token that allows people to deposit their Ether coin and earn yields from it.  

In a complicated series of transactions, North Korea’s TraderTraitor breached LayerZero and created large amounts of rsETH without providing any real Ether as collateral, effectively printing money out of thin air.

The hackers then took the fictitious rsETH and used it as collateral on other platforms to borrow real Ether coins and other U.S.-dollar pegged stablecoins.

In its post-mortem, LayerZero repeatedly blamed Kelp for their configuration, arguing that it “directly contradicts the multi-DVN redundancy model that LayerZero has consistently recommended to all integration partners.”

“Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message,” the company said. 

LayerZero went on to explain that the attackers were able to “manipulate or poison” downstream infrastructure by compromising systems the company relies on to verify transactions. The company said the attackers’ sophisticated tactics prevented security monitoring tools from noticing anomalies. 

In order to complete the heist, the hackers also launched a distributed denial-of-service (DDoS) attack on backup systems that may have been able to stop the theft. The tools used to carry out the attack were built to self-destruct once the hackers had finished. 

The post-mortem does not go into detail about how exactly the alleged North Koreans breached LayerZero devices. Multiple cryptocurrency companies attacked by North Korea over the last year have reported laptops infected with malware as the source of breaches.  

Speaking to the cryptocurrency news outlet CoinDesk, a Kelp source disputed LayerZero’s assessment, noting that even the company’s own post-mortem acknowledges that the incident involved the compromise of its servers as opposed to Kelp’s. They also said about 40% of LayerZero customers use the single DVN setup and the company had never raised issues about it with them. 

LayerZero said it is in the process of contacting all parties who use them as the single DVN and that it will no longer approve messages from applications that only have the single verifier. 

Law enforcement is involved in the response to the incident, LayerZero said in its post-mortem. The company argued that their systems “functioned exactly as intended throughout this event.” 

Aave, one of the platforms where the hackers used the fictitious rsETH to take out loans, acknowledged the incident and said it is “assessing potential resolutions.” Thousands of its users have tried to pull their money out of the platform, in some cases to no avail. 

Neither Kelp nor LayerZero or Aave responded to requests for comment.

If confirmed, the $290 million theft would be yet another blockbuster cryptocurrency robbery launched by hackers from North Korea. Three weeks ago, alleged North Korean groups stole $290 million from the Drift crypto platform in another sophisticated operation involving fake companies, alleged actors and more.  

North Korea has waged an unprecedented assault on the crypto industry for more than five years, stealing vast sums each year that U.S. officials say is used to fund Pyongyang’s military weapons program.

The country’s government stole more than $2 billion in similar attacks last year and brought in $3 billion from attacks between 2017 and 2023, according to United Nations investigators.