North Korean Hackers Steal $293M in Crypto Using LayerZero, Sparking Industry-Wide Security Concerns

North Korean hackers have dealt another devastating blow to the cryptocurrency industry, stealing $293 million from the decentralized finance (DeFi) application Kelp DAO in a single attack. The theft is part of a broader campaign in which state-sponsored hackers from the hermit kingdom stole a combined $579 million from onchain applications in less than 20 days.

The attack on Kelp DAO was executed by compromising an application built on LayerZero, a widely used protocol for cross-chain communication. Hackers exploited a vulnerability to send a fraudulent message instructing the application to release the funds. Days later, they returned to the same platform to launder portions of the stolen crypto by transferring it across multiple blockchains.

Onchain records reveal that the hackers have already moved at least $500,000 through LayerZero as part of their laundering scheme. This marks the first documented case where the same application was used both as the attack vector and a tool for money laundering.

LayerZero has not yet responded to requests for comment regarding the incident.

North Korea’s Evolving Cyber Threat: From Chaos to Corporate Efficiency

State-funded North Korean hackers have been a persistent threat to the crypto industry for nearly a decade. However, recent years have seen their operations become increasingly organized, sophisticated, and financially damaging.

In 2023 alone, North Korean attackers stole a record $1.5 billion from Bybit by compromising employees at Safe, the exchange’s wallet provider. Security experts warn that these hackers now operate with the efficiency of a global enterprise.

‘We are seeing these actors treat exploits as standardised business operations, characterised by infrastructure reuse and the exploitation of settlement corridors with the efficiency of a global enterprise.’
— Matt Price, Vice President of Investigations at Elliptic

In response to the growing threat, crypto security researchers are urging developers to prioritize operational security alongside protocol integrity.

‘Security is no longer just about the integrity of the protocol’s code. Operational security is now equally critical. If the operational rails are weak, the code's security becomes irrelevant.’
— Yajin Zhou, Co-founder of BlockSec

David Schwed, Chief Operating Officer at SVRN and a cybersecurity expert who led the development of BNY Mellon’s digital asset offerings, emphasized the need for robust security measures.

‘Projects need to hire seasoned chief information security officers and empower them to bring in teams of experts to build robust security systems.’
— David Schwed, COO at SVRN

Crypto security firm Halborn has also cautioned against projects that create single points of failure, which attackers can exploit with devastating consequences.

How Hackers Launder Stolen Crypto: The Role of LayerZero

Cryptocurrency theft is only the first step for hackers. To cash out without detection, they must launder the stolen funds through complex schemes that obscure their origins. This typically involves splitting the money into small chunks and repeatedly transferring it across different wallets and blockchains.

LayerZero played a critical role in this laundering process. Hackers used the protocol to transfer a portion of the stolen funds from Arbitrum, a layer 2 blockchain, to Tron, further distancing the funds from their illicit source.

Security researchers are now calling for developers to implement stricter measures to prevent such laundering. One proposed solution is to block wallets identified as belonging to known hackers or suspicious entities.