How Is the Attacker Moving Stolen Funds?
The attacker behind the roughly $290 million Kelp DAO exploit has begun moving large amounts of Ether across newly created blockchain addresses, indicating early-stage laundering activity. On Tuesday, wallets linked to the exploit transferred approximately 75,700 ETH, worth about $175 million, across multiple transactions.
The movements included a 25,000 ETH transfer to one new address and additional transfers totaling 50,700 ETH and a smaller 0.7 ETH to another. The use of fresh addresses and fragmented transactions suggests an attempt to reduce traceability and prepare funds for further routing through decentralized protocols.
Blockchain investigator ZachXBT reported that addresses tied to the exploit had already begun interacting with privacy-focused and cross-chain infrastructure, including THORChain and Umbra. He identified three THORChain transactions totaling around $1.5 million and an additional $78,000 routed through Umbra.
What Went Wrong in the Kelp DAO Exploit?
The exploit occurred on Saturday, when an attacker drained approximately 116,500 restaked Ether (rsETH), valued between $290 million and $293 million at the time, from Kelp DAO’s LayerZero-powered bridge.
LayerZero later pointed to a structural weakness in the protocol’s configuration. According to the firm, Kelp DAO’s decentralized verifier network relied on a single verifier path for cross-chain messaging, effectively creating a single point of failure. The setup had previously been flagged as a risk.
The incident highlights ongoing vulnerabilities in cross-chain infrastructure, particularly where security models depend on limited validation paths rather than distributed verification.
Investor Takeaway
How Is the Exploit Affecting the Wider DeFi Ecosystem?
The fallout has extended beyond Kelp DAO, impacting multiple DeFi protocols. Arbitrum’s security council took emergency action to freeze 30,766 ETH linked to the exploit, transferring the funds into a controlled wallet governed by the network.
Aave was also affected, as the attacker used stolen assets as collateral to borrow funds. Initial estimates placed the exposure at around $195 million, though later assessments outlined potential bad debt ranging from $123.7 million to $230.1 million depending on recovery scenarios.
The situation triggered liquidity stress across the protocol. Aave reported that borrowing rates for USDt surged from 3% to 14%, while total value locked dropped by roughly $10 billion to $16.4 billion as users withdrew funds amid contagion concerns.
In response, Aave partially restored operations by unfreezing Wrapped Ether reserves on its Ethereum Core V3 market, though several other markets remain restricted.
Investor Takeaway
What Does the Laundering Pattern Indicate?
The attacker’s use of THORChain is consistent with previous large-scale exploits, where cross-chain swaps and non-custodial protocols are used to obscure fund flows. THORChain does not require traditional identity verification, making it a common route for moving illicit assets.
During the 2025 Bybit hack, a large portion of stolen Ether was converted into Bitcoin through similar mechanisms, with most of the activity routed via THORChain. While blockchain transparency allows partial tracking, the layering of transactions across chains complicates recovery efforts.
The early movement of funds in the Kelp DAO case suggests that the attacker is entering the initial phase of laundering, where speed and fragmentation are used to stay ahead of potential freezes or blacklisting actions by protocols and regulators.
