- Kelp DAO attacker laundered around $80M after moving $175M in ETH earlier this week.
- Most stolen ETH was swapped into BTC through THORChain, pushing 24-hour volume to $394M.
- Arbitrum froze 30,766 ETH worth about $70.9 million tied to attacker-linked wallets.
The attacker behind the Kelp DAO exploit has laundered about $80 million in stolen funds after moving roughly $175 million worth of ETH earlier this week.
According to onchain data, the exploiter moved 34,500 ETH after diverting funds off Ethereum on Tuesday. Most of that ETH was then swapped into Bitcoin through THORChain.
The Kelp DAO exploit drained around $290 million to $292 million through the project’s LayerZero-powered cross-chain bridge.
THORChain Volume Jumps Far Above Normal
The laundering flow pushed THORChain activity higher. THORChain’s dashboard showed $394 million in swap volume over the last 24 hours, generating around $456,000 in fees.
Normal daily volume is usually between $10 million and $35 million, which means recent volume ran more than 10 times above typical levels.
According to on-chain data analyst EmberCN, the attacker mainly used THORChain to convert ETH into BTC. This route has also been used in past large-scale hacks because it allows direct cross-chain swaps without a centralized operator holding funds.
THORChain said again this week that it follows a neutral model with no central controller, no admin key, and no single party able to freeze assets.
Arbitrum Freezes $70.9M in ETH
Part of the stolen funds was stopped before it could be moved. Arbitrum said its Security Council secured 30,766 ETH tied to attacker-linked addresses on Arbitrum One. The transfer was completed on April 20 at 11:26 p.m. ET. Based on market value at the time, the recovered amount was about $70.97 million.
The ETH was moved into a frozen intermediary wallet controlled through governance safeguards. Arbitrum said the exploiter can no longer access those assets, and any future movement would require governance approval coordinated with relevant parties.
The chain said the action was targeted and did not affect other users, apps, or broader network operations.
Lazarus Group Named in Early Probe
LayerZero said early analysis points to North Korea’s Lazarus Group, specifically the TraderTraitor unit. According to the company, the attackers did not break LayerZero’s core protocol.
Instead, they compromised two downstream RPC nodes used in a decentralized verifier network while launching DDoS attacks against healthy nodes, which allowed false transaction approvals during the theft.
LayerZero also said the malware used in the attack was built to delete itself afterward. The company added that Kelp DAO was using a single-verifier setup rather than a multi-verifier model it had previously recommended.
Related: DeFi Exploits Top $775M in 2026 as KelpDAO, Drift Lead Losses
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/kelp-dao-hacker-launders-80m-via-thorchain-activity-spikes/