TLDR
- The Kelp DAO exploiter began moving stolen funds after Arbitrum froze about $71 million in ETH.
- Blockchain investigators tracked transfers from Ethereum to Bitcoin through THORChain.
- Onchain data shows smaller amounts routed through the privacy protocol Umbra.
- Security firms estimate that up to $176 million may have moved across multiple platforms.
- The attack drained about $292 million from Kelp DAO’s rsETH bridge.
Hackers behind the $292 million Kelp DAO breach have started moving funds across chains after Arbitrum froze part of the haul. Blockchain investigators tracked transfers from Ethereum to Bitcoin and privacy tools. The activity signals an effort to move assets beyond the reach of earlier containment actions.
Arbitrum Freeze Prompts Cross-Chain Transfers
Arbitrum’s Security Council froze about $71 million in ETH tied to the exploit. Authorities took the step shortly after investigators linked wallets to the breach. The freeze marked one of the first direct responses following the attack.
Soon after, wallets connected to the attacker began moving funds. ZachXBT reported that about $1.5 million moved from Ethereum to Bitcoin through THORChain. He also said roughly $78,000 moved through privacy protocol Umbra.
PeckShield stated that the exploiter started shifting around $176 million through THORChain, Umbra, Chainflip, and BitTorrent. Ember CN said the attacker moved about 75,700 ETH, valued near $175 million, off Ethereum. However, Kelp DAO and LayerZero have not confirmed those transfer totals.
Arbitrum 链把 KelpDAO 黑客在 Arbitrum 上的 ETH 给弄走,应该是惊到他了。
他开始把 Ethereum 链上的 75,700 枚 ETH ($1.75 亿) 进行洗钱转移了。目前已经有多笔小额 ETH 通过隐私支付协议 @UmbraCash 转移。
黑客地址:https://t.co/JL42eBEIe9
通过 Umbra 转移:https://t.co/GbGPd55YfP… https://t.co/e0RZJymzdT pic.twitter.com/Q0ZoKSS3Bo
— 余烬 (@EmberCN) April 21, 2026
Kelp DAO Exploit and Bridge Dispute
The breach targeted Kelp DAO’s rsETH bridge and drained about $292 million. The attacker removed roughly 116,500 rsETH, or about 18% of circulating supply. Ari Redbord of TRM Labs said the attacker called LayerZero’s lzReceive function using a forged message.
LayerZero later linked the exploit to North Korea’s Lazarus Group. The company said a single verification path enabled the breach. Kelp DAO disputed that view and pointed to LayerZero’s messaging design.
Following the exploit, several DeFi platforms reassessed their exposure to rsETH. Redbord said Aave, SparkLend, Fluid, and Upshift paused or reviewed rsETH markets. Users also reduced positions as uncertainty spread across lending platforms.
Bitcoin and Privacy Protocols Complicate Tracking
Transfers through THORChain allowed the attacker to convert Ethereum-based assets into Bitcoin. Cross-chain swaps reduce direct visibility on Ethereum explorers. Investigators continue to trace flows across supported networks.
Umbra transactions added another layer of privacy. The protocol allows users to send assets with shielded recipient details. Smaller transfers through Umbra appeared soon after the Arbitrum freeze.
PeckShield also observed activity involving Chainflip and BitTorrent. Analysts said these routes may form part of a broader laundering strategy. Investigators have not released a final confirmed total for assets already moved.
ZachXBT and other analysts continue to publish wallet movements tied to the breach. The amounts routed through privacy tools remain lower than the full stolen balance. However, onchain data shows that transfers away from Ethereum remain ongoing at the time of reporting.
