The attacker behind the KelpDAO exploit has moved stolen funds through a multi-step laundering sequence, bridging ETH off Ethereum, swapping it into USDT, and transferring the stablecoin to the Tron network. The cross-chain movement complicates recovery efforts and highlights persistent challenges in tracking stolen DeFi assets.
What Happened in the KelpDAO Attacker’s Latest Fund Movement?
On-chain intelligence firm Arkham flagged the KelpDAO hacker’s activity, reporting that the attacker transferred funds to new addresses as part of a broader effort to obscure the trail. The sequence followed a now-familiar exploit laundering pattern: bridge, swap, and hop chains.
Step 1: Bridging ETH Off Ethereum
The first confirmed action involved the attacker bridging ETH away from its origin chain. Cross-chain bridges allow users to move assets between blockchains, and attackers routinely use them to break the direct link between the exploit transaction and the destination wallet.
By moving ETH through a bridge, the attacker created a separation point that forces investigators to correlate activity across two different ledgers rather than following a single on-chain trail.
Step 2: Swapping ETH for USDT
After bridging, the attacker converted the ETH holdings into USDT. This asset conversion is a critical step in the laundering chain because it removes exposure to ETH price volatility and converts the stolen funds into a dollar-pegged stablecoin with deep liquidity across multiple networks.
USDT operates on several blockchains simultaneously, giving holders flexibility to move value wherever enforcement attention is lowest. The swap from a volatile asset into a stablecoin also suggests the attacker may be positioning for an eventual off-ramp rather than holding a speculative position.
Step 3: Moving Funds to Tron
The final confirmed step was a transfer of USDT to the Tron network. Tron has become one of the most heavily used chains for USDT transfers due to its low transaction fees and high throughput, handling a significant share of global stablecoin volume.
The research brief confirms the ETH-to-USDT-to-Tron path but does not provide the exact exploit size, specific transaction hashes, or a confirmed timeline for each step. Without those details, the precise dollar amount currently sitting in Tron wallets remains unconfirmed in this reporting.
Why Would an Attacker Bridge ETH and Convert It Into USDT?
The decision to swap from ETH into USDT follows a pattern observed in numerous DeFi exploits. Attackers generally seek to accomplish two goals after draining a protocol: reduce traceability and stabilize the value of stolen assets.
ETH, while liquid, is volatile and easily tracked on Ethereum’s transparent ledger. Converting to USDT removes the price risk and opens access to Tron’s USDT ecosystem, where transaction volumes are high enough that individual transfers can blend into normal traffic.
ETH Exposure vs. Stablecoin Flexibility
Holding stolen ETH carries the risk that its value could decline before the attacker can liquidate. It also keeps the funds on Ethereum, where analytics firms maintain the most mature monitoring infrastructure. USDT on Tron, by contrast, offers dollar-denominated stability and access to a network where tracking tooling, while improving, is less comprehensive than Ethereum’s.
This pattern does not confirm the attacker’s ultimate intent. The conversion could indicate preparation for a peer-to-peer sale, an OTC liquidation attempt, or simply a staging step before further obfuscation. The observable action is the asset swap itself; motive remains inferred from common exploit-laundering behavior.
What Does the Move to Tron Mean for Fund Tracing?
Cross-chain transfers fundamentally change the tracking workflow for blockchain investigators. When funds remain on a single chain, analysts can follow the full transaction graph from exploit to current wallet in one explorer. A bridge hop forces a handoff between monitoring systems.
The shift to Tron means that firms tracking the KelpDAO attacker now need to correlate Ethereum bridge exit transactions with Tron-side deposit addresses. Each bridge introduces a potential gap in attribution, particularly if the attacker used a bridge that pools deposits before releasing funds on the destination chain.
How Cross-Chain Transfers Complicate Monitoring
Tron’s high USDT transaction volume creates additional noise. Billions of dollars in USDT move across Tron daily, and distinguishing attacker-controlled wallets from legitimate high-volume wallets requires correlating timing, amounts, and behavioral patterns across chains.
Moving to Tron does not guarantee that the funds are unrecoverable. Tether, the issuer of USDT, has historically cooperated with law enforcement to freeze addresses holding stolen stablecoins. If investigators can identify the specific Tron addresses holding the converted USDT, a freeze request to Tether remains a viable recovery path. Similar enforcement mechanisms were relevant in cases like the large USDT movements tracked through Binance outflows.
Why This Matters for DeFi Users and the Wider Market
The continued movement of KelpDAO attacker funds signals that the stolen assets have not been frozen or recovered. For KelpDAO users and liquidity providers, the active laundering chain means the protocol’s losses remain unrealized in terms of recovery.
DeFi security watchers, including on-chain investigators like ZachXBT who has flagged suspicious activity across the crypto ecosystem, monitor these fund flows to build attribution databases that can aid future enforcement. Each movement the attacker makes generates new data points that narrow the set of possible exit routes.
The KelpDAO incident also reinforces a broader concern in decentralized finance: once funds leave a compromised protocol, the attacker holds a structural advantage. They choose the timing, the chain, and the conversion method, while investigators must react and correlate across an expanding set of ledgers.
For protocols operating in the restaking and liquid staking sectors where KelpDAO competed, the exploit serves as a reminder that smart contract security failures carry consequences that persist long after the initial breach. The laundering phase, now visibly active, can stretch for weeks or months as attackers test different exit strategies.
FAQ About the KelpDAO Attacker’s ETH, USDT, and Tron Transfers
What exactly did the KelpDAO attacker do?
The attacker bridged stolen ETH off the Ethereum network, swapped the ETH for USDT, and then transferred the USDT to the Tron blockchain. This three-step sequence is designed to complicate fund tracing.
Why did the attacker choose USDT instead of keeping ETH?
USDT is a dollar-pegged stablecoin that eliminates price volatility risk. It also has deep liquidity on Tron, making it easier to move large amounts without significant slippage or immediate detection.
Why was Tron chosen as the destination chain?
Tron processes a large share of global USDT transfers with low fees. The high transaction volume on Tron can make it harder to isolate specific wallet activity compared to lower-traffic networks.
Can the stolen funds still be recovered?
Recovery is possible but not guaranteed. Tether has the ability to freeze USDT on any supported chain, including Tron, if law enforcement or investigators identify the attacker’s wallet addresses. However, the cross-chain movement adds complexity to the identification process.
What is confirmed versus unconfirmed in this report?
The fund movement path, from ETH through a bridge to USDT on Tron, is confirmed through on-chain tracking. The exact dollar amount, specific transaction hashes, and the attacker’s identity remain unconfirmed in the available evidence. Arkham Intelligence has published research on the attacker’s fund transfers that provides additional detail on the movement pattern.
Additional source references: source document 1.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
Source: https://coincu.com/kelpdao-attacker-bridged-eth-swapped-usdt-moved-funds-tron/