*BRIEF
KelpDAO’s bridge was spoofed: tricked by North Korean hacker-syndicate Lazarus into minting $292M in fake assets, nearly triggering an Aave “bank run”.
In 48 hours, DeFi deposits fell 14%.
Good afternoon,
DeFi's biggest export this cycle is the word "decentralized," which is doing a remarkable amount of heavy lifting given how often a single set of keys, a single bridge, or a single anything turns out to be the thing actually holding the whole system up.
Decentralization theatre. If the excuse is always "one thing went wrong and the whole structure came down," the structure was never decentralized. It was centralized in places nobody bothered to look.
Shaking my head,
Austin Campbell
Teaching students at NYU Stern
Teaching c-suites at Zero Knowledge
ZERO IN
BACK UP
🤷♂️ KELPDAFUQ???
KelpDAO turns illiquid staked ETH derivatives into a liquid token, rsETH, that you can use, trade, and spend across the DeFi ecosystem.
If those words make no sense in that order, you’re not alone. Did we even need KelpDAO? Crypto attempting to make everything tradable makes many things less safe.
🤷♂️ CALLING FOR KELP!
KelpDAO didn’t build its own rails to move rsETH, it relied on a bridge : LayerZero.
Bridge[s] are built to move crypto between incompatible blockchains.
Bridges lock tokens on Chain A and mint a copy of it on Chain B.
Bridges promise the copies are legit, but behind the scenes, they rely on validators to prove the Chain B copies, map to legit deposits on Chain A.
🤷♂️ AAVE? ACTUALLY?
Aave is a lending protocol and for the bulk of DeFi, Aave is seen as the lender of last resort (unless your name is Trump…keeping it in the family, using Dolomite).
BREAKDOWN
KELPTOMANIACS
April 18, 2026, North Korean Lazarus, hit LayerZero with a type of hack called an RPC node attack.
RPC nodes are servers that show the bridge what the blockchain looks like. Lazarus poisoned LayerZero’s eyes and ears.
LayerZero’s RPC servers were corrupted into showing a Lazarus‑chain (a fake version of the blockchain showing a $292M ‘deposit’), allowing the attackers to mint $292M of rsETH…money that’s actually backed by nothing.
Lazarus shoved the fake funds into Aave (and other lenders) as collateral for loans of real ETH before the fraud was fully discovered or understood, then walked away with the money they borrowed against their “collateral”.
KelpDAO bled, because rsETH is no longer fully backed.
BAD HOMBRES
[OCEANS K-J-1LL]
Lazarus Group, a nation-state sponsored actor, accounted for approximately 76% of all global crypto hack losses this year and they target key management (not code) and those who control funds.
DeFi’s products present themselves as decentralized. But the existence of controller keys is one example of why that's simply not true.
BAG HOLDERS
AAVETERMATH
By injecting $292M in "ghost" assets into the system, Lazarus destabilized $86B in interconnected DeFi protocols.
$13 billion systemic shock across the markets.
After everyone realized Aave was accepting unbacked rsETH as collateral, they wanted out..
Aave’s lending pools slammed into 100% utilization.
Assets…became hard or impossible to withdraw.
Aave’s markets got so out of control, they had to slam the brakes
Aave had to top up the missing funds or eat the loss (paying one way or another) for fake rsETH that Lazarus used to borrow real ETH.
Are these markets actually decentralized? Should there be more controls? Should anyone be using this stuff as it is? Not easy answers (except to the last one: no). 2008 could have taught crypto lessons that would have saved them in this, instead of funding North Korean nuclear program funding.
ZERO OUT
DEFI ISN’T SAFE (YET)
Devastation can’t be normalized. DeFi needs to pick a lane: centralized controls for complex systems, or vastly more simple, vastly more secure, while trying to do less.
"DeFi" but one person controls all the money? Do better.
Digital cash that can move near-instantly and can't be blocked or censored is very, very hard to keep safe if you insist on building a complex environment.
ZERO INSIDER
Taking the stage at CoinDesk’s Consensus 2026.
Talking National Security with the boys.
(Left to right) Christian Thompson — Co‑Founder & President, 0verwatch; Austin Campbell — Founder & CEO, Zero Knowledge Group; Adam Zarazinski — CEO, Inca Digital; Jason Reding Quiñones — United States Attorney, U.S. DoJ; Bobby Bishop — Associate Professor, Duke Law.
Photography : Shirley Yu / Sum of Parts for Zero Knowledge Group
Press pass at CoinDesk Consensus Miami 2026, content antics.
Photography : Shirley Yu / Sum of Parts for Zero Knowledge Group
Did Jason Reding Quiñones make me…an honorary Fed? 😧
Dropped a sneak peek at Tornado Cash: Breaking Code The Butchering of Katy Lin, whose money was supposedly laundered through Tornado Cash … according to a tracing firm that was itself an alleged fraud.
Roman Storm's retrial on two criminal counts hits early 2027, hinging on the question that won't quit: can a software engineer be criminally charged for what third parties do with their products?