DeFi Faces $14B Crisis After $290M rsETH Hack Linked to North Korea

The decentralized finance (DeFi) sector is grappling with the fallout of a suspected North Korea-linked hack that has triggered a $14 billion market meltdown. The incident began with the theft of $290 million worth of Kelp DAO’s liquid staking token, rsETH, via the Layer Zero bridge on April 19, 2026.

The hack’s impact spread rapidly across multiple protocols, with DeFi giant Aave experiencing a one-third drop in total value locked (TVL). Nearly $9 billion has since been withdrawn from Aave, leaving the protocol potentially exposed to hundreds of millions in bad debt.

The rsETH Hack: How It Unfolded

The attack targeted Kelp DAO, the issuer of rsETH, by exploiting its “single-DVN setup” for bridging tokens. Layer Zero bridges rely on decentralized verifier networks (DVNs) to validate transactions, placing security responsibility on asset issuers. Kelp DAO used a 1-of-1 setup, relying solely on Layer Zero’s DVN.

Following the hack, Kelp DAO acknowledged the suspicious activity on X (formerly Twitter), stating:

"Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA. We will keep you updated."
— Kelp (@KelpDAO) April 18, 2026

Layer Zero’s Claim vs. Developer Skepticism

Layer Zero attributed the breach to a highly sophisticated RPC-spoofing attack, where malicious actors manipulated targeted DVNs by presenting false data. The attack also included a DDoS attack on uncompromised RPCs to force fallback to the compromised ones.

However, pseudonymous DeFi developer banteg disputed Layer Zero’s explanation, arguing that the attack involved an internal breach rather than external interference. They warned against re-enabling bridges without clear details on the breach’s origin.

The Fallout: Aave’s TVL Plummets, Bad Debt Looms

Instead of selling the stolen rsETH—potentially crashing its price—the attacker deposited it as collateral into Aave and other lending platforms, borrowing $236 million in WETH. Blockchain audit firm PeckShield confirmed the attacker’s actions:

Today's @KelpDAO exploiter deposited the stolen $rsETH into various lending protocols (AaveV3, CompoundV3, Euler) and borrowed massive $WETHs totaling $236 million.

With liquidity drained and markets frozen, users panicked, withdrawing collateral and borrowing assets wherever possible. Aave’s TVL has since dropped by a third, and the protocol faces potential exposure to hundreds of millions in bad debt. The question of who will cover these losses remains unresolved.