Justin Sun, founder of the Tron Network, has publicly appealed to the hackers behind a massive $293 million exploit of the Kelp DAO restaking protocol. The attack, which occurred on April 18, 2026, saw thieves drain 116,500 rsETH tokens—a liquid staking derivative for Ethereum—via a vulnerability in the protocol's LayerZero bridge configuration.
Sun took to X, urging the attackers to negotiate: "Kelp DAO hacker, how much you want? Let’s talk... With Kelp DAO’s help, of course. It’s simply not worth it to sacrifice both Aave and Kelp DAO... You can’t spend $300 million anyway." His intervention highlights the severity of the situation, as the stolen rsETH had been used as collateral on the Aave lending protocol, creating systemic risk.
The hack has triggered significant contagion within the DeFi ecosystem. Despite Aave freezing rsETH markets across its V3 and V4 deployments on Ethereum, Arbitrum, Base, Mantle, and Linea, investors have fled the platform, withdrawing nearly 25% of deposited assets. Total Value Locked (TVL) on Aave has plummeted to just over $34 billion, with reports indicating over $54 billion in assets were pulled from liquidity markets at the peak of the panic.
On-chain data reveals addresses linked to HTX, the exchange owned by Justin Sun, have historically sent hundreds of millions to Aave. A Protos report from December noted that over $1.4 billion of HTX's USDT reserves were lent on Aave.
Suspicions of an insider job are mounting. Crypto community observers point to warnings in Kelp DAO's governance forums 15 months prior, flagging the critical risk of its "single-DVN" (Decentralized Verifier Network) setup on LayerZero. The protocol, which had $1.5 billion in TVL, deployed this minimal security configuration for a bridge holding hundreds of millions, a decision now under intense scrutiny. The pattern has drawn comparisons to historical inside jobs like the 2014 BTER exchange breach.
Cross-chain messaging protocol LayerZero has attributed the attack to "a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor." However, they confirmed the incident was isolated to KelpDAO's rsETH configuration and stated there is "zero contagion to any other cross-chain assets or applications."
This exploit is the largest DeFi hack of 2026 so far, bringing the total crypto stolen from industry projects this year to $771 million, according to DefiLlama. It follows closely behind a $285 million hack of Solana's Drift Protocol in April, also linked to the Lazarus Group.
Kelp DAO has suspended all its multisig functions, deposit/withdrawal pools, oracles, and the rsETH token across mainnet and Layer-2 networks. The protocol has not issued an official update since April 18. Meanwhile, sources indicate the L1 rsETH is fully collateralized and the affected Aave market remains "completely solvent."
