LayerZero was attacked by Lazarus Group, leading to internal RPC contamination. The official statement apologized and disclosed security remediation measures.

Deep Tide TechFlow News, May 9th, LayerZero official tweet, LayerZero Labs officially apologizes for the security incidents and communication shortcomings over the past three weeks.

Regarding the incident, LayerZero Labs’ internal RPC was attacked by North Korean hacker group Lazarus Group, leading to contamination of its DVN (Decentralized Validation Node) data sources. At the same time, external RPC providers also suffered DDoS attacks. This incident affected a single application (accounting for 0.14% of all applications), involving assets worth approximately 0.36% of LayerZero’s total assets. The LayerZero protocol itself was unaffected, and over $9 billion in assets continued normal cross-chain transfers after the event.

LayerZero Labs acknowledged that previously allowing its DVN to be configured as a “1/1” single node for high-value transactions posed a single point of failure risk, for which they bear management oversight responsibility. Additionally, LayerZero disclosed that over three and a half years ago, a multisig signer mistakenly used a multisig hardware wallet for personal transactions. The signer has been removed, and the related wallets have been rotated.

In terms of corrective measures, LayerZero Labs announced: they have ceased providing services for 1/1 DVN configurations; are migrating all default paths to 5/5 multisig, with a minimum of 3/3; developed a second Rust-based DVN client to achieve client diversity; launched a dedicated multisig tool called OneSig to enhance signature security; and rolled out a unified management platform called Console to support asset issuance configuration and anomaly detection.