Over the weekend, hackers managed to liberate more than $290 million in cryptocurrency from Kelp DAO, a protocol that helps users earn yields on their idle crypto investments. It's a classic tale of someone finding a more 'active' use for your idle assets.
By Monday, LayerZero, one of the projects caught in the crossfire, had already pinned the blame on North Korea. This heist now proudly wears the crown for the largest crypto theft of the year, narrowly edging out an earlier $285 million hack at crypto exchange Drift in April. The competition is fierce, apparently.
In a post on X, LayerZero explained the mechanics: the hackers exploited Kelp DAO via its LayerZero bridge - a tool that lets different blockchains talk to each other. They then cleverly took advantage of Kelp's own security configuration, which thoughtfully did not require multiple verifications before approving transactions. This oversight allowed the hackers to siphon off the funds with fraudulent transactions in a remarkably straightforward fashion.
LayerZero cited 'preliminary indicators' pointing to North Korea, specifically naming its crypto-targeting hacking group, TraderTraitor. In a predictable twist, Kelp DAO responded by blaming LayerZero for the theft instead. The blame game: the only multiplayer mode that's always online.
In recent years, North Korean hackers working for Kim Jong Un's regime have built a remarkably successful side hustle in crypto theft. Last year alone, they pilfered more than $2 billion. Overall, since 2017, the total amount of crypto stolen by North Korea is estimated to be around $6 billion. At this rate, they might just hack their way to a developed economy.