Lazarus Tied to Kelp Exploit as DeFi Sheds $13 Billion

Editorial digest April 20, 2026
Last updated : 06:31

The week opens with crypto's infrastructure — not its charts — defining the tape. A post-mortem names North Korea. A $293 million exploit is now a $13 billion unwind. Two separate breaches, at a DNS resolver and at one of the web's biggest frontend hosts, remind builders that the attack surface long ago stopped being the smart contract.

Who actually did the Kelp exploit?

LayerZero broke the silence on Sunday. In a statement reported by CoinDesk, the cross-chain messaging protocol attributed the Kelp DAO breach to North Korea's Lazarus Group and laid out the mechanics: attackers compromised two RPC nodes that the company's verifier relied on, then launched a DDoS against the rest of the set. The exploit worked, per LayerZero, only because Kelp had declined to implement the multi-verifier configuration LayerZero recommends as baseline security.

That framing shifts the narrative. What looked on Friday like a protocol-design failure is being re-cast as an operational one — an integrator that skipped a control, against a state-backed adversary that has now extracted funds from roughly every major cross-chain surface over the past three years. Ledger's chief technology officer told CoinDesk that 2026 is shaping up as DeFi's "worst year in terms of hacks," a statement that is notable less for its rhetoric than for its timing: we are in April.

The attribution matters for two reasons. For DeFi teams, "Lazarus" is now a procurement checklist item. Audits, bug bounties, and even formal verification do nothing against an attacker who infiltrates your RPC providers and your on-call pager. The threat model is no longer the contract — it is the human and infrastructure envelope around the contract. For regulators, a confirmed DPRK exploit of a U.S.-connected DeFi stack is exactly the posture Treasury has been waiting for to press harder on cross-chain bridges and restaking primitives.

How big is the DeFi contagion?

The headline loss at Kelp was $292 million. The second-order loss, per CoinDesk's reporting, is closer to $13 billion — the aggregate total-value-locked bleed across DeFi lending and yield protocols in the 48 hours since the exploit. Crucially, token prices have not collapsed to match. That gap is the most interesting data point in the entire cascade. It tells you the outflows are not panic price-discovery; they are depositors sitting on intact holdings choosing to pull collateral out of systems they no longer trust to remain solvent under stress.

Aave is the clearest case. Cointelegraph reports the protocol's TVL dropped roughly $8 billion in the 24 hours following the Kelp hack, with users withdrawing "billions of dollars" from lending pools. Decrypt described a "liquidity crunch" and $6.2 billion withdrawal panic, with users struggling to exit positions at all. The AAVE token itself fell nearly 20% to $89.5 — a meaningful repricing of governance-token risk, but a rounding error next to the capital walking out the door.

The mechanism is a familiar one from 2022. When a major DeFi component takes an exogenous hit, composability becomes a liability: LSTs and LRTs posted as collateral in lending markets become suspect, lenders yank supply, rates blow out, borrowers unwind, and TVL falls faster than the tokens priced on AMMs. What is different this cycle is the scale of the restaking layer between the base protocol and the lending market. Kelp sat at precisely that junction. Every protocol that consumed its outputs now inherits the question: who else is one RPC hijack away from insolvency?

Is the infrastructure layer the new target?

Two breaches in adjacent territory deepen the unease. Cointelegraph reports that the eth.limo team's domain was hijacked via a social-engineering attack on EasyDNS. CEO Mark Jeftovic called the attack "highly sophisticated" and said an investigation is ongoing. Eth.limo is a resolver for ENS domains — a piece of plumbing that quietly sits between users typing `vitalik.eth` and the wallet interfaces that serve them. Control that resolver and you control where users land.

On the same day, CoinDesk reported a breach at Vercel, tied to a compromised AI tool, that may have exposed API keys used by application frontends. Vercel hosts a large share of the user-facing layer of web3 — the wallet connectors, trading interfaces, and dashboards that sit between a user and a contract. Crypto developers spent the weekend rotating credentials.

Read together with the Kelp post-mortem, a pattern emerges. The adversary is not targeting Solidity. They are targeting the DNS record, the RPC endpoint, the hosting provider, the AI coding assistant that holds production secrets. The 2026 threat model for DeFi looks far more like traditional enterprise security — supply chain, identity, secrets management — than like the on-chain audit cottage industry the industry has built over five years.

Why is Polymarket raising at $15 billion?

Against this backdrop, one capital story runs the other direction. Cointelegraph reports Polymarket is in talks to raise $400 million at a $15 billion valuation. The detail that matters: competitor Kalshi's last round priced it at $22 billion. Polymarket, which operates on-chain and trades on USDC, is still raising at a substantial discount to a CFTC-registered centralized competitor with a narrower event catalogue.

The arms race between the two is now a proxy for the broader question of whether prediction markets belong on a blockchain at all. Polymarket's bet is that on-chain settlement, global access, and composability are moats. Kalshi's bet is that a regulator-blessed moat beats an engineering one. A $400 million round, in a week when DeFi lending is shedding $13 billion, suggests late-stage capital still believes at least one corner of crypto has product-market fit — just not the corner that promises yield.

The wider tape

Macro has not been kind either. Bitcoin trades around $74,335 after Iran reimposed controls on the Strait of Hormuz over the weekend, per CoinDesk, a 1.6% pullback that looks almost stoic against a 5.7% jump in Brent and a 1.2% drop in European equity futures. Cointelegraph notes bitcoin briefly slipped below $74,000 on Sunday after Iran threatened retaliation over a U.S. seizure of an Iranian cargo ship. The ceasefire is holding on paper and straining in practice. The modest reaction in crypto says either the market has already repriced the geopolitical tail — or it is still too distracted by its own internal fires to notice the external ones.