Following my earlier post on the control failures behind 2026’s biggest crypto exploit, here is what the post-mortem has revealed.

The attacker has been attributed, the money may never be seen again

LayerZero Labs attributes the attack to North Korea’s Lazarus Group and TraderTraitor, which was linked to the $285M Drift Protocol exploit three weeks earlier. The same group stole nearly $600M in a month. It’s a sustained, state-backed campaign targeting weaknesses in DeFi. [1, 2, 3, 5]

The attack was more sophisticated than first reported

In the initial read, it appeared as a simple configuration failure. The full picture is more alarming. The attackers while exploiting a weak setting poisoned the data feeds that the bridge relied on to verify transactions, then knocked out the backup systems, leaving the bridge with no clean data to work with. A forged message went through unchallenged. LayerZero Labs says it warned KelpDAO (under KernelDAO) against the single-verifier setup. KelpDAO says the setup was effectively LayerZero’s own default. Both have promised formal post-mortems. Until then, the technical details remain disputed. [2, 3, 6, 7]

Some funds have been frozen, most have not

The Arbitrum Security Council froze about $71M in ETH linked to the exploiter on Arbitrum One blockchain with law enforcement involved. Lazarus moved about $175M before the freeze, and funds may shift across chains as they are tracked by Arkham Intelligence. The Tornado Cash trail, noted by ZachXBT remains the main focus. [4, 7, 9]

The blame game has begun

LayerZero repeatedly warned KelpDAO against a single-verifier setup and will stop signing messages from such applications. KelpDAO disputes this framing, but the dispute matters legally, as ignored warnings could strengthen user claims. [3, 6]

Can legal action recover the funds?

The prospects are poor due to three reasons: attribution isn’t prosecution, North Korea is a sanctioned state making accountability difficult, $71M is frozen on Arbitrum while the rest moves through mixers and decentralised exchanges, making full recovery unlikely without coordinated multi-chain actions. Further, civil claims against KelpDAO and possibly LayerZero are complicated, requiring proof of owed duty, jurisdiction, and legal framework, none of which are settled in DeFi. [4, 7, 9]

The bigger picture

Chainalysis estimates North Korean hackers have stolen $6.75B in crypto since 2022. The Lazarus Group is increasingly sophisticated, targeting gaps between decentralisation in theory and practice. You can’t sanction a smart contract, extradite a wallet, or recover funds from a regime making crypto theft a national budget item. This is a national security issue, not just a DeFi problem, and won’t be solved by better bridge configurations. [5, 8, 10]

Sources:

  1. LayerZero Incident Statement
  2. CoinDesk — Largest exploit of 2026
  3. CoinDesk — LayerZero blames Kelp’s setup
  4. CoinDesk — Arbitrum freezes $71M
  5. CoinDesk — North Korea’s expanding playbook
  6. CoinDesk — KelpDAO hits back at LayerZero
  7. Bitcoin.com — Lazarus moves $175M after freeze
  8. Bitcoin.com — Chainalysis blind spot analysis
  9. BitPinas — Arbitrum Security Council action
  10. Blockhead — Lazarus Group attribution

__________

About the author

Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. With 30 years of navigating the intersection of technology, risk, and regulations, he now helps organisations cut through complexity and make better security decisions.

CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.

Disclaimer: All views expressed here are entirely mine.