- Hackers — likely North Korean, according to cybersecurity researchers Cyvers and LayerZero — drained nearly $300 million from Kelp DAO by exploiting a cross-chain bridge, a persistent vulnerability in the DeFi ecosystem.
- Instead of laundering the loot, the attackers deposited ~$200 million of stolen rsETH tokens as collateral on Aave and borrowed $236 million against it — sparking fears of worthless collateral flooding DeFi’s biggest lending platform.
- Aave has seen $9 billion in net outflows since Saturday, with total value locked plunging more than a third to $17.5 billion — a textbook DeFi bank run where users withdrew first and asked questions later.
- The incident follows a $280 million hack of Drift Protocol just weeks earlier, underscoring that cross-chain bridges remain one of the most dangerous attack surfaces in all of crypto.
What Happened?
Over the weekend, hackers exploited a cross-chain bridge operated by Kelp DAO — a restaking platform — and drained nearly $300 million worth of rsETH (restaked Ether). Rather than immediately laundering the proceeds through mixers or token swaps, the attackers took an unusual and destabilizing approach: they deposited roughly $200 million of the stolen tokens as collateral on Aave, DeFi’s largest lending protocol, and borrowed $236 million against it. The move seeded Aave’s collateral pool with tokens of deeply uncertain value, triggering immediate panic among depositors who could not determine whether the rsETH backing their positions was legitimate or effectively conjured out of thin air. Aave froze rsETH markets and said on-chain analysis showed Ethereum-native rsETH remained fully backed — but the reassurance came too late to stop the exodus.
Why It Matters?
This is the DeFi equivalent of a classic bank run, and it illustrates a systemic fragility baked into decentralized finance. Because there is no central intermediary to absorb losses or freeze withdrawals, uncertainty about collateral quality translates immediately into outflows. The “withdraw first, ask questions later” dynamic that crypto portfolio manager Pratik Kala described is not irrational — it’s the only rational response in a system where being last out means being left holding bad debt. The fact that hackers are now weaponizing DeFi’s composability — using stolen assets as collateral to borrow additional funds across multiple platforms — marks a sophisticated escalation in how these attacks are structured. Cross-chain bridges have been targeted repeatedly for years, and the industry has yet to solve the fundamental security challenge they represent.
What’s Next?
Kelp DAO has paused operations while it investigates the breach. The key question for Aave is whether the $9 billion in outflows stabilizes or continues — and whether frozen rsETH markets create cascading liquidation pressure on any remaining positions. Broader DeFi sentiment will also be watching whether on-chain forensics can trace and potentially freeze the hackers’ borrowed funds before they’re laundered. If North Korean state-affiliated actors are confirmed behind the attack, as both Cyvers and LayerZero suggest, there is little realistic prospect of recovery — Pyongyang’s crypto theft operations have proven extraordinarily difficult to counter or reverse.
Source: Bloomberg
