2 hours ago
Hours aft the Arbitrum Security Council froze 30,766 ether tied to the KelpDAO exploit, the attacker moved each 75,701 ETH, astir $175 million, to the Ethereum mainnet and began bridging the funds to bitcoin.
Published: Apr 21, 2026, 6:05 AM
Key Takeaways:
- After Arbitrum froze 30,766 ETH ($71M), the KelpDAO exploiter moved 75,701 ETH ($175M) to the Ethereum mainnet.
- Peckshield confirmed the attacker is routing stolen funds to bitcoin via Thorchain, Umbra Cash, and Chainflip.
- Lazarus Group’s KelpDAO haul adds to $600M+ successful DeFi losses implicit 3 weeks arsenic TVL falls 25%.
Arbitrum Freeze Triggers Immediate Response
The KelpDAO exploiter drained astir $292 cardinal from the liquid restaking protocol’s Layerzero-powered span connected April 18, successful what has go the largest decentralized finance ( DeFi) exploit of 2026.
Earlier today, the Arbitrum Security Council executed an exigency freeze connected 30,766 ETH ($71.15 million) held by the attacker connected Arbitrum One. Dragonfly spouse Haseeb Qureshi confirmed the assembly utilized a privileged system-level transaction to forcibly claw backmost the funds, wholly bypassing the attacker’s wallet controls.
KelpDAO acknowledged the enactment arsenic well, thanking the Security Council and noting the squad had worked intimately with the assembly and ecosystem stakeholders implicit 2 days to execute the intervention.
The frost recovered astir 29% of the ether the exploiter had accumulated crossed chains pursuing the archetypal breach.
Attacker Empties Address, Routes Funds Toward Bitcoin
Following the Arbitrum freeze, the KelpDAO hacker moved each 75,701 ETH ($175 million) remaining connected Ethereum and began laundering the funds. Security steadfast Peckshield flagged the circumstantial laundering route, highlighting that the exploiter bridged stolen funds successful tiny batches to bitcoin via Thorchain, Umbra Cash, and Chainflip. These decentralized protocols enabled nonstop cross-chain plus swaps betwixt Ethereum and the Bitcoin web without a centralized intermediary.
Image source: XPeckshield besides noted that little than 0.768 ETH for gas remains successful the archetypal exploiter address, meaning the wallet has mostly cleared out.
Layerzero attributed the archetypal KelpDAO onslaught to North Korea’s Lazarus Group and its Trader Traitor subunit, citing onchain and operational tactics accordant with anterior state-sponsored campaigns. Wu Blockchain information shows the KelpDAO hack has pushed full DeFi losses supra $600 cardinal implicit the past 3 weeks, arsenic the broader ecosystem’s full worth locked fell 25% to $82.4 billion.
English (US) 