TokenEcho

The $292M KelpDAO hack erased $13 billion from DeFi – and Strategy bought $2.54B in Bitcoin while it burned

·

Thomas Novak Avatar
Thomas Novak
Fact-Checked by James Carter, Editor-in-Chief

🕑 8 min read

$292 million. That’s what the KelpDAO hack drained from a single cross-chain bridge in one transaction on Friday afternoon – making it 2026’s largest DeFi exploit and one of the biggest in crypto history.

But the theft wasn’t the real story. What happened next was.

Within 48 hours, DeFi protocols hemorrhaged $13.2 billion in total value locked, cratering to $85.6 billion – a 1-year low. Aave, the sector’s dominant lending protocol, watched $8.45 billion in deposits walk out the door. And while DeFi burned, Strategy quietly filed an 8-K revealing it had spent $2.54 billion on Bitcoin during the same week. BTC ETFs absorbed another $996 million.

Two crypto markets. One melting down. The other didn’t flinch.

Key Takeaways

  • North Korea’s Lazarus Group drained $292M from KelpDAO by forging a single LayerZero bridge message. The protocol’s emergency pause fired 46 minutes later – saving an estimated $200M from two follow-up drain attempts that came within three minutes of succeeding.
  • Aave faces $123M-$230M in permanent bad debt after stolen rsETH was deposited as collateral and borrowed against. Aave’s previous risk team (Chaos Labs) quit 12 days before the hack, citing “fundamental disagreement on risk strategy.” Their replacement raised rsETH exposure limits nine days later.
  • DeFi TVL crashed from $99.5B to $85.6B in 48 hours – its worst drop since Luna. In that same window, Strategy surpassed BlackRock as the largest single Bitcoin holder (815,061 BTC) and BTC ETFs posted their strongest week since January.
KelpDAO hack impact comparison table showing DeFi TVL crash versus Bitcoin institutional surge April 2026
DeFi collapse vs Bitcoin institutional surge after the KelpDAO hack. DeFi TVL crashed $13.9B while BTC ETFs absorbed $996M in the same week. Source: CryptoQuant, CoinGecko, CoinDesk / TokenEcho

46 minutes, $292 million, one misconfigured bridge

At 17:35 UTC on Friday, April 18, an attacker called a single function on LayerZero’s EndpointV2 contract. The transaction claimed to originate from KelpDAO’s Unichain deployment, requesting the release of 116,500 rsETH – KelpDAO’s liquid restaking token that represents staked ETH deposits routed through EigenLayer – worth roughly $292 million, about 18% of the token’s total circulating supply.

No such transaction ever existed on Unichain. The entire message was fabricated off-chain.

Lazarus Group, the North Korean state hacking unit identified in LayerZero’s post-mortem, had compromised two of LayerZero’s own RPC nodes weeks earlier and replaced their software with malicious versions designed to report false data exclusively to the DVN, the decentralized verifier network that LayerZero uses to validate cross-chain messages. Then they DDoS’d every clean node offline, forcing KelpDAO’s single verifier to rely on poisoned infrastructure.

The verifier approved the forged packet. The bridge released $292 million. Done.

KelpDAO’s emergency multisig froze the protocol 46 minutes later. Two follow-up drain attempts – roughly $100 million each – reverted against the pause. Three minutes slower and another $200 million would’ve been gone.

‘LayerZero was throwing Kelp under the bus for trusting a setup LayerZero itself supported,’ said Zach Rynes, a Chainlink community ambassador. He noted that 40% of protocols on LayerZero currently run the identical single-verifier configuration that enabled this attack.

Bitcoin exchange reserves chart showing cycle low near 2.68M BTC in April 2026
BTC exchange reserves dropped to 2,679,870 – near cycle lows – as institutional buyers absorbed supply while DeFi collapsed. Source: CryptoQuant / TokenEcho

Combined with Drift Protocol’s $285M exploit on April 1 – also attributed to Lazarus – North Korea has drained $575 million from DeFi in 18 days. Two structurally different attack vectors. Same threat actor. Adapting faster than the industry can patch.

In March 2023, a hacker stole $197 million from Euler Finance. Within two weeks, the attacker returned every cent. KelpDAO’s funds are already being laundered through Thorchain and Tornado Cash – $175 million moved as of Monday morning.

Aave’s risk manager quit – the replacement raised the limits

Aave’s smart contracts weren’t compromised. Not one line of code was exploited.

The damage came through the front door.

Hours after the hack, the attacker deposited 89,567 stolen rsETH across seven Aave V3 positions on multiple chains. Against that collateral, they borrowed $190.86 million in WETH – and another $2.33 million in wstETH – before vanishing.

When rsETH lost its peg, those positions became unliquidatable. Nobody would buy unbacked restaking tokens as collateral. Permanent bad debt, stuck inside the protocol.

What caught our attention was the timing. On April 6, twelve days before the exploit, Chaos Labs – Aave’s risk management partner for three years – exited the protocol, citing ‘fundamental disagreement on risk strategy.’ Nine days later, LlamaRisk, their replacement, increased rsETH’s supply cap from 480,000 to 530,000 tokens without a comprehensive collateral risk reassessment.

Aave’s rsETH loan-to-value was set at 93%. SparkLend had the same asset at 72%. That 21-percentage-point gap is the difference between a manageable hit and a $230 million crater.

‘AAVE is the backbone of DeFi,’ said Altcoin Sherpa. ‘When AAVE has contagion risk, it shows the fragility of the entire system.’

The fallout came fast. Aave shed $8.45 billion in TVL within 48 hours – from $26.4 billion to roughly $17.9 billion. Three major lending pools hit 100% utilization, effectively trapping depositors who couldn’t withdraw. Some borrowed $300 million against their own locked deposits at steep losses just to exit – the crypto equivalent of paying a locksmith to break into your own house.

The money didn’t leave crypto – it left DeFi

$2.54 billion. That’s what Strategy spent on Bitcoin between April 13 and 19 – its largest single purchase since November 2024 and third-largest ever, funded primarily through $2.18 billion in STRC perpetual preferred share sales that barely diluted common shareholders.

The buy pushed Strategy’s total to 815,061 BTC. That’s more than BlackRock’s IBIT holds (802,823 BTC), making Saylor’s company the single largest Bitcoin holder on Earth – a milestone that would’ve seemed delusional when he made his first $250 million BTC bet in August 2020.

Saylor’s response on X: ‘Think Even ₿igger.’

And Strategy wasn’t alone. BTC spot ETFs pulled in $996 million the same week – strongest since January. On April 18, the day of the KelpDAO hack, ETFs recorded $663.9 million in single-day inflows, with BlackRock capturing $906 million of the weekly total.

Bitcoin exchange netflow bar chart showing $2.17 billion in outflows over 14 days in April 2026
BTC exchange netflows over 14 days. Persistent outflows totaling $2.17B confirm institutional accumulation accelerating during the DeFi crisis. Source: CryptoQuant / TokenEcho

BTC exchange reserves, a measure of sell-side supply sitting on trading platforms, dropped to 2,679,870 BTC – hovering near cycle lows. Binance shed 20,443 BTC ($1.56 billion) over 13 days. Someone is absorbing supply at industrial scale, and it isn’t DeFi protocols.

We’ve tracked this BTC-versus-DeFi divergence for weeks. But the KelpDAO hack crystallized something already forming: crypto is splitting into two parallel markets. One is institutional, ETF-wrapped, custodied by BNY Mellon, insured against everything but price. The other is permissionless, composable, occasionally revolutionary – and occasionally robbed by nation-states.

Binance Bitcoin reserves declining from 638K to 618K BTC over 13 days in April 2026
Binance BTC reserves plunged from 638,277 to 617,834 BTC in 13 days – accounting for 72% of all exchange outflows. Source: CryptoQuant / TokenEcho

DeFi total value locked sits at $85.6 billion. That’s roughly 50% below October 2025’s peaks and the lowest in over a year.

The last bridge hack this big ended very differently

Euler Finance, March 2023. A hacker drained $197 million. DeFi TVL slipped about 8%, and two weeks later the attacker returned everything. Users got made whole.

KelpDAO looks nothing like that. Funds are already moving – $1.5 million bridged to Bitcoin via Thorchain, $78,000 routed through Umbra’s privacy protocol. Arbitrum’s Security Council emergency-froze $71 million (roughly 25% of the haul), but recovering the rest from a North Korean state operation is historically near-impossible.

The structural difference runs deeper than the amounts. In 2023, institutional Bitcoin products barely existed – IBIT wouldn’t launch for another 10 months. Panicked DeFi capital had nowhere to go except stablecoins. Today, BTC ETFs, corporate treasuries, and custodial staking products offer a one-click highway from DeFi risk to institutional-grade exposure.

And the traffic on that highway just hit a 2026 high.

On-chain contagion scorecard (3 of 6 stable)

✅ Arbitrum froze $71M – 25% of stolen funds secured
✅ Aave’s core smart contracts not compromised (external exploit only)
✅ BTC holding $76K despite DeFi’s worst week since Luna
❌ Aave bad debt: $123M-$230M unresolved – governance vote pending
❌ rsETH permanently depegged on L2 chains – up to 73.5% haircut for worst-case holders
⚠️ 40% of LayerZero protocols use the same 1-of-1 DVN config that enabled this hack

TokenEcho Verdict

Direction: Cautiously bearish (DeFi sector)
Key level: Aave governance vote on loss socialization – determines whether depositors eat the loss or the DAO treasury absorbs it ($181M available, potentially insufficient)
Risk factor: If a second bridge running the same 1-of-1 DVN configuration gets targeted while Aave’s governance vote is still pending, the resulting panic could push DeFi TVL below $70 billion and trigger a cascading liquidation event across interconnected lending protocols.
This is an analytical assessment, not financial advice.

What to watch in the next 72 hours

  • Aave governance proposal on bad debt resolution – socialized losses versus DAO treasury absorption. If depositors take a haircut, expect another withdrawal wave.
  • LayerZero’s new policy blocking 1-of-1 DVN configurations. Forty percent of integrated protocols need to migrate or risk the same exploit vector. Watch for emergency governance votes across Ethena, Stargate, and other major OFT deployers.
  • Fund laundering pace – $175M already moved. If the attacker bridges to Bitcoin at scale through Thorchain, recovery odds approach zero. Arbitrum’s frozen $71M may be all that’s recovered.

‘Crypto is a harsh environment which no bank would have survived – yet we are working with that,’ said Michael Egorov, founder of Curve Finance. ‘DeFi will learn from this incident and become stronger.’

Maybe. But $996 million in Bitcoin ETF inflows the same week doesn’t suggest the market is waiting around for that lesson.

For more on the institutional BTC accumulation trend, see our analysis of Strategy’s buying spree and the DeFi TVL resilience report. For background on DeFi governance concentration risks, see our report on Aave and MakerDAO voting power.

Can DeFi’s contagion problem be solved – or does every major hack just accelerate the rotation into institutional Bitcoin?

This is not financial advice. DYOR. Data as of April 21, 2026.

Sources: CoinDesk – KelpDAO exploit, CoinDesk – Aave losses, CoinDesk – DeFi TVL, CoinDesk – Strategy $2.54B, Halborn post-mortem, Aave Governance, LayerZero post-mortem, CoinDesk – Arbitrum freeze, CoinGecko API, CryptoQuant API

Thomas Novak is an educational content writer at TokenEcho who enjoys creating resources that are easy to understand for those new to the crypto space. He is a University Lecturer in Computer Science. His articles form a series of guides introducing the reader to some of the basic concepts of blockchain technology. Thomas has authored two books on cryptocurrency fundamentals.

Other Posts

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *