Less than three weeks after hackers linked to North Korea used social engineering to hit cryptocurrency trading firm Drift, hackers linked to the nation appear to have pulled off another major exploit with Kelp.
The attack on Kelp, a restoration protocol tied to LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but by exploiting the basic assumptions built into decentralized systems.
Taken together, the two incidents indicate something more organized than a series of one-off hacks, as North Korea continues to intensify its efforts to divert funds from the crypto sector.
“It’s not a series of incidents; it’s a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You can’t patch your way out of a supply schedule. »
More than $500 million was embezzled from the Drift and Kelp operations in just over two weeks.
How Kelp was raped
At its core, the Kelp exploit did not involve breaking encryption or hacking keys. The system actually worked as it was designed. Rather, the attackers manipulated the data feeding the system and forced it to rely on these compromised inputs, causing it to approve transactions that never occurred.
“The security failure is simple: A signed lie remains a lie,” Urbelis said. “Signatures guarantee authorship; they do not guarantee the truth. »
In simpler terms, the system checked who sent the message, not whether the message itself was correct. For security experts, this is less a clever new hack than an exploitation of the way the system was configured.
“This attack was not intended to break cryptography,” said David Schwed, COO of blockchain security company SVRN. “It was about exploiting the way the system was set up.”
A key issue was the choice of configuration. Kelp relied on a single reviewer, essentially a verifier, to approve cross-chain messages. This is because it is faster and easier to configure, but it removes a critical layer of security.
LayerZero has since recommended using multiple independent verifiers to approve transactions following the fallout, similar to requiring multiple signatures on a bank transfer. Some in the ecosystem have pushed back on this framework, saying that LayerZero’s default configuration is to have a single verifier.
“If you have identified a configuration as unsafe, do not ship it as an option,” Schwed said. “Security that depends on everyone reading documents and executing them correctly is not realistic. »
The fallout is not limited to kelp. Like many DeFi systems, its assets are used across multiple platforms, meaning problems can spread.
“These assets are a chain of IOUs,” Schwed said. “And the chain is only as strong as the controls on each link.”
When one link breaks, others are affected. In this case, lending platforms like Aave, which accepted the affected assets as collateral, are now facing losses, turning a single exploit into a broader stress event.
Decentralization Marketing
The attack also reveals a gap between how decentralization is marketed and how it actually works.
“A single auditor is not decentralized,” Schwed said. “It’s a decentralized and centralized verifier.”
Urbelis says it more broadly.
“Decentralization is not a property of a system. It is a series of choices,” he said. “And the stack is only as strong as its most centralized layer.”
In practice, this means that even systems that appear decentralized can have weaknesses, especially in less visible layers like data providers or infrastructure. It is increasingly on these points that attackers are focusing.
This change could explain the recent targeting of Lazarus.
The group has begun to focus on cross-chain and restructuring infrastructure, Urbelis said, the parts of crypto that move assets between systems or allow them to be reused.
These layers are critical but complex, often located beneath more visible applications. They also tend to hold large amounts of value, making them attractive targets.
If previous waves of crypto hacks focused on exchanges or obvious code flaws, recent activity suggests a shift toward what might be called industry plumbing, systems that connect everything together, but are harder to monitor and easier to misconfigure.
As Lazarus continues to adapt, the greatest risk may not lie in unknown vulnerabilities, but in known ones that are not fully addressed.
The Kelp exploit did not introduce a new type of weakness. This showed how exposed the ecosystem remains to familiar ecosystems, especially when security is treated as a recommendation rather than a requirement.
And as attackers advance faster, this gap becomes both easier to exploit and much more costly to ignore.
Read more: North Korean hackers stage massive state-sponsored heists to manage its economy and nuclear program.
