LayerZero Hit by Lazarus Group Attack, Internal RPC Compromised; Official Issues Apology and Discloses Security Remediation Measures

LayerZero’s official tweet: LayerZero Labs has formally apologized for the security incident that occurred over the past three weeks and for insufficient communication. Regarding the incident, an internal RPC of LayerZero Labs was compromised by the North Korean hacking group Lazarus Group, contaminating the data sources for its Decentralized Verifier Nodes (DVNs). Concurrently, external RPC providers also suffered DDoS attacks. This incident affected a single application—0.14% of all applications—and involved assets valued at approximately 0.36% of LayerZero’s total assets. The LayerZero protocol itself remained unaffected; over $9 billion in assets continued to flow across chains normally following the incident. LayerZero Labs acknowledged that it previously permitted its DVNs to operate under a “1/1” single-node configuration to secure high-value transactions—a setup inherently vulnerable to single-point failure. LayerZero Labs accepts managerial oversight responsibility for this decision. Additionally, LayerZero disclosed that, three and a half years ago, one of its multi-signature signers had mistakenly used a multi-sig hardware wallet for personal transactions. That signer has since been removed, and the associated wallet has been rotated. As corrective measures, LayerZero Labs announced: - It has discontinued support for “1/1” DVN configurations; - It is migrating all paths to a default 5/5 multi-signature configuration, with a minimum threshold of 3/3; - It has developed a second DVN client written in Rust to ensure client diversity.