North Korea Rocks DeFi

Plus: 💻 Vercel's breach puts crypto frontends on edge

Author

David Okoya
April 20, 2026

Hi! In today’s edition:

  • 🔥 Kelp DAO lost $292M in a LayerZero bridge exploit linked to North Korean state actors

  • 💸 Aave's $6.6B TVL collapse shows how fast one bad collateral asset can torch a lending giant

  • 💻 Vercel got hacked — and every Web3 team hosting there is now rotating credentials

Today’s newsletter is brought to you by Nexo!

Unlock Exclusive Rates with Nexo

Rates, product availability, features, and applicable terms may vary based on jurisdiction, eligibility, loyalty tier, and other factors, and are subject to change at any time.

Nexo is a premier digital wealth platform offering:

  • crypto yield up to 15% (based on stated annual interest rates)

  • crypto-backed credit lines from 1.9%

  • a wide range of digital assets.

Join today and get 30-day access to exclusive rates.

North Korea Drains $292 Million From Kelp DAO in DeFi’s Biggest 2026 Hack

North Korea’s Lazarus Group likely pulled off the largest DeFi exploit of 2026 on April 18, draining 116,500 rsETH — worth roughly $292 million and about 18% of the token’s circulating supply — from Kelp DAO’s LayerZero-powered cross-chain bridge in a matter of minutes. The attack, flagged first by on-chain investigator ZachXBT, targeted the communication layer connecting Kelp’s rsETH reserves to more than 20 blockchain networks including Base, Arbitrum, and Linea.

LayerZero published a post-mortem attributing the breach to Lazarus Group’s TraderTraitor unit and explaining exactly how it worked: attackers compromised two RPC nodes used by LayerZero’s sole verifier, launched a DDoS attack to force a failover, and tricked the system into approving a fraudulent cross-chain transaction. The attack only succeeded because Kelp ran a 1-of-1 verifier configuration, LayerZero said, adding that it has explicitly warned against.

Kelp’s emergency multisig froze the protocol 46 minutes after the drain. Two follow-up attempts targeting another $100 million in rsETH were blocked. The stolen funds were moved through Tornado Cash. LayerZero says it is working with law enforcement and will no longer sign messages for any project using a single-verifier setup.

Aave Loses $6.6 Billion in TVL in Kelp DAO Hack Fallout

The Kelp exploit didn’t stop at the bridge. The attack moved the 116,500 stolen rsETH directly into Aave V3, using it as collateral to borrow large amounts of wrapped ETH and building roughly $196 million in debt positions.

Amid bad debt concerns, Aave’s TVL fell from $26.4 billion on April 18 to roughly $20 billion by Sunday morning, according to DefiLlama. The protocol froze rsETH markets on both V3 and V4, while founder Stani Kulechov confirmed Aave’s own contracts were not compromised. Aave’s initial statement that its Umbrella safety reserve would cover the shortfall was later walked back to “explore paths to offset the deficit” — language that rattled stkAAVE holders, who could absorb residual losses.

AAVE fell 16% during the episode. SparkLend, Fluid, Lido’s earnETH product, and Compound V3 all froze or paused features tied to rsETH as the contagion spread.

Vercel Confirms Breach as Hacker Demands $2 Million Ransom

Web hosting provider Vercel disclosed a security breach on April 19 after a threat actor posting on cybercrime forum BreachForums claimed to be selling stolen data for $2 million, including access keys, source code, and internal deployment credentials. Vercel traced the intrusion to Context.ai, a third-party AI tool used by an employee, where a compromised Google Workspace connection allowed attackers to escalate access into internal environments.

The company said environment variables marked as “sensitive” are stored in a way that prevents external reading and that there is no evidence those variables were accessed. But for crypto and Web3 teams, the incident carries extra weight: Vercel hosts wallet interfaces and decentralized app dashboards for hundreds of projects. Solana-based exchange Orca said it rotated all deployment credentials as a precaution, while confirming its on-chain protocol and user funds were not affected.

Vercel has engaged incident response firms and law enforcement. The hacker claiming responsibility is suspected to be affiliated with ShinyHunters, though members of that group have denied involvement.

DON’T MISS BITS + BIPS & UNCHAINED TODAY STARTING 3:30 PM ET

Bits + Bips has two special guests: Apyx’s Parker White to discuss a new stablecoin launch and Euler’s Michael Bentley to unpack the KelpDAO hack.

Unchained follows right after with Alex Gluchowski, Haseeb Qureshi and Yuval Rooz joining to debate whether Canton qualifies as a blockchain.

Join us on X, YouTube or PumpFun.

  • 🏦 Kraken's parent Payward agreed to acquire derivatives exchange Bitnomial for up to $550 million in cash and stock, gaining all three CFTC licenses needed to operate a full-stack US crypto derivatives business. The deal values Payward at $20 billion.

  • 📊 Strategy filed a proxy proposal to shift its STRC preferred stock dividends from monthly to semi-monthly, keeping the 11.5% annual rate unchanged. Shareholders vote June 8, with the first semi-monthly payment expected July 15 if approved.

  • ⚖️ Sen. Richard Blumenthal pressed the DOJ and FinCEN for updates on compliance monitors overseeing Binance, citing reports that nearly $1.7 billion flowed to Iran-linked entities through the exchange and that internal investigators who flagged the flows were fired. Binance denies the firings were related to the Iran findings.

  • 📈 X's Cashtags drove an estimated $1 billion in global trading volume within days of launching, per Head of Product Nikita Bier. The feature lets iPhone users in the US and Canada view real-time crypto and stock data inline, with a trading integration through Wealthsimple in Canada.

  • 🤖 Sam Altman's World unveiled World ID 4.0 with integrations across Tinder, Zoom, DocuSign, and Okta, plus a new Concert Kit ticketing tool to block scalper bots. The upgrade adds account-based architecture and an open-source SDK for 18 million verified users across 160 countries.

  • 🏛️ The US government moved roughly $606,000 in bitcoin tied to the 2016 Bitfinex hack to Coinbase Prime, with on-chain data tracking 8.2 BTC from a wallet labeled "Bitfinex Hacker Seized Funds." The transfer is widely read as part of a court-mandated restitution process, not a market sale.

  • 🌐 Wrapped XRP went live on Solana via custodian Hex Trust and LayerZero, backed 1:1 by native XRP and launching with more than $100 million in initial liquidity. The integration gives XRP holders access to Solana DeFi apps including Jupiter, Phantom, and Meteora for the first time.

  • 🟡 Circle launched USDC Bridge, a native cross-chain tool using burn-and-mint to move USDC across 17 EVM-compatible blockchains without wrapped tokens or third-party routing. Circle's CCTP already handles over $500 million in daily transfers.

  • 🤖 Coinbase is testing AI agents in Slack and email, with CEO Brian Armstrong shipping two modeled after co-founder Fred Ehrsam and former CTO Balaji Srinivasan. Armstrong predicted the company will eventually have more AI agents than human employees.

  • 🇫🇷 French Finance Minister Roland Lescure called for more euro-denominated stablecoins and urged EU banks to launch tokenized deposits, backing Qivalis, a consortium of 12 European banks including ING, UniCredit, and BNP Paribas set to debut a euro-pegged stablecoin in the second half of 2026. His stance marks a notable reversal from France's prior opposition to private stablecoins.

  • 🏦 Stripe is integrating stablecoins and blockchain across its core payments stack in a bid to become the "AWS for money," said the company's head of crypto go-to-market Adrien Duchâteau at the RWA Summit in Cannes. The company, which processes nearly $2 trillion in annual payments, is using acquisitions of Bridge and Privy and its own Tempo blockchain to cut settlement times from days to near-instant.

  • 📊 Nomura and Laser Digital found that 65% of Japanese institutional investors now view crypto as a portfolio diversifier, up from 62% in 2024, in a survey of 518 investment professionals. Among those considering crypto investment, 79% have concrete plans to allocate within three years, with most targeting a 2%-5% portfolio share.

  • 💰 Polymarket is in talks to raise $400 million at a $15 billion valuation, according to The Information, as the prediction market seeks additional strategic investors beyond Intercontinental Exchange, which invested $600 million last month. The round could total $1 billion and would represent a significant step up from Polymarket's $9 billion late-2025 valuation.

  • ⛏️ Alcoa is in advanced talks to sell its idle Massena East smelter in upstate New York to bitcoin miner NYDIG, with CEO Bill Oplinger saying the deal "should be done in the middle part of this year." The 1,300-acre site has been dormant since 2014 and offers direct access to hydropower from the New York Power Authority, making it attractive for energy-intensive bitcoin mining operations.

Enter Bitcoin Capital Markets

Sponsored

Citrea, Bitcoin’s application layer, launched its mainnet. You can now access Bitcoin lending, privacy features, BTC yields, and more.

Past efforts to build a Bitcoin ecosystem were forced to sacrifice programmability or rely on heavy trust assumptions that limited adoption. Citrea marks a new beginning: an end-to-end Bitcoin ecosystem that relies solely on the Bitcoin Network as its source of truth.

You can now:

  • Borrow against your BTC in a trust-minimized way

  • Earn yield on your BTC and ctUSD (a native stablecoin for Bitcoin)

  • Use your BTC privately (currently in the closed beta; join the waitlist)