TLDR
- The individual behind the Kelp DAO exploit initiated fund transfers following Arbitrum’s freeze of approximately $71 million in ETH.
- Security researchers monitored asset movements from Ethereum to Bitcoin via THORChain.
- Blockchain analytics reveal smaller transactions processed through Umbra, a privacy-focused protocol.
- Cybersecurity analysts suggest as much as $176 million may have traversed various platforms.
- The exploit resulted in approximately $292 million drained from Kelp DAO’s rsETH bridge infrastructure.
The perpetrators of the $292 million Kelp DAO attack have begun transferring stolen assets across different blockchain networks following Arbitrum’s partial fund freeze. Security experts have monitored transfers spanning Ethereum to Bitcoin alongside privacy-enhancing platforms. These movements indicate a coordinated attempt to relocate digital assets away from initial containment measures.
Fund Movements Follow Arbitrum’s Security Response
Arbitrum’s Security Council implemented a freeze affecting approximately $71 million in ETH connected to the security breach. Officials executed this measure shortly after blockchain analysts established wallet connections to the exploit. This action represented one of the initial organized responses to the attack.
Following this freeze, addresses associated with the perpetrator initiated asset transfers. Security researcher ZachXBT reported approximately $1.5 million transferred from Ethereum to Bitcoin using THORChain infrastructure. He additionally documented roughly $78,000 routed through Umbra, a privacy-oriented protocol.
PeckShield indicated the exploiter began relocating approximately $176 million through various platforms including THORChain, Umbra, Chainflip, and BitTorrent. Analytics firm Ember CN documented the attacker transferring about 75,700 ETH, worth approximately $175 million, away from Ethereum. Kelp DAO and LayerZero have yet to verify these specific transfer amounts.
Arbitrum 链把 KelpDAO 黑客在 Arbitrum 上的 ETH 给弄走,应该是惊到他了。
他开始把 Ethereum 链上的 75,700 枚 ETH ($1.75 亿) 进行洗钱转移了。目前已经有多笔小额 ETH 通过隐私支付协议 @UmbraCash 转移。
通过 Umbra 转移:https://t.co/GbGPd55YfP… https://t.co/e0RZJymzdT pic.twitter.com/Q0ZoKSS3Bo
— 余烬 (@EmberCN) April 21, 2026
Security Breach Details and Protocol Responsibility Debate
The exploit targeted Kelp DAO’s rsETH bridge infrastructure, resulting in approximately $292 million in losses. The perpetrator extracted roughly 116,500 rsETH, representing about 18% of the token’s total circulating supply. TRM Labs executive Ari Redbord explained the attacker leveraged LayerZero’s lzReceive function utilizing a fabricated message.
LayerZero subsequently attributed the security breach to North Korea’s Lazarus Group. The organization stated a singular verification pathway facilitated the attack. Kelp DAO contested this assessment, directing attention toward LayerZero’s messaging architecture design.
In response to the exploit, multiple decentralized finance protocols evaluated their rsETH exposure levels. Redbord noted that Aave, SparkLend, Fluid, and Upshift either suspended operations or initiated reviews of rsETH markets. Platform users simultaneously reduced their positions amid growing uncertainty throughout lending ecosystems.
Cross-Chain Swaps and Privacy Tools Challenge Forensic Efforts
Transactions processed through THORChain enabled the perpetrator to exchange Ethereum-based holdings for Bitcoin. These cross-chain conversions diminish straightforward traceability on Ethereum blockchain explorers. Investigators maintain ongoing efforts to track asset flows across supported networks.
Umbra-based transactions introduced additional privacy measures. This protocol enables participants to transmit assets while obscuring recipient information. Smaller-scale Umbra transfers emerged shortly following the Arbitrum freeze implementation.
PeckShield additionally documented activity involving Chainflip and BitTorrent platforms. Security analysts suggest these pathways potentially constitute components of a comprehensive money laundering approach. Investigators have yet to publish definitive confirmed totals for successfully relocated assets.
ZachXBT alongside other blockchain analysts continue publishing wallet activity linked to the security breach. Amounts channeled through privacy-enhancing platforms remain below the complete stolen balance. Nevertheless, blockchain data confirms ongoing transfers departing from Ethereum at the time of this reporting.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
