Kelp DAO attacker moves 75,700 ETH, routes funds via THORChain
About 75,700 ETH (~$175M) moved to new addresses Tuesday, with portions routed through THORChain and Umbra after a weekend drain of about 116,500 rsETH (~$290M).
Blockchain trackers identified three large transfers from the wallet linked to the Kelp DAO exploit on Tuesday, totaling roughly 75,700 Ether, about $175 million. Arkham flagged the activity and recorded a 25,000 ETH transfer to one new address and roughly 50,700.7 ETH to another. Investigator ZachXBT posted that some funds were sent through THORChain and Umbra, including three THORChain transactions totaling about $1.5 million and a separate Umbra transfer near $78,000.
The transactions follow a Saturday exploit in which an attacker drained about 116,500 restaked Ether, or rsETH, from Kelp DAO’s bridge built on LayerZero. LayerZero reported that Kelp DAO used a one-of-one decentralized verifier network, creating a single point of failure, and said it had previously advised against that configuration.
Arbitrum’s 12-member security council froze 30,766 ETH linked to the exploit and moved those funds into an intermediary frozen wallet that can be accessed only through Arbitrum governance. The attacker also used some stolen Ether as collateral on the Aave lending protocol, affecting liquidity across decentralized finance platforms.
Aave provided an initial estimate of potential exposure near $195 million and later outlined two possible bad-debt outcomes: about $123.7 million in one scenario and roughly $230.1 million in another. On Tuesday Aave reopened Wrapped Ether reserves on its Ethereum Core V3 market, allowing users to supply WETH there again while WETH reserves on Arbitrum, Base, Mantle, Linea and Ethereum Prime remained frozen.
Market effects included a rise in USDT borrowing rates on Aave from roughly 3% to about 14%, reported CryptoQuant researcher Julio Moreno, and large outflows that reduced Aave’s total value locked by about $10 billion to $16.4 billion.
THORChain and Umbra operate as non-custodial protocols and do not require traditional know-your-customer checks, a feature that can complicate tracing and recovery. In a 2025 exchange breach, attackers converted about 83% of stolen Ether into Bitcoin and routed roughly 72% through THORChain, with about 77% of the funds remaining traceable, according to Bybit CEO Ben Zhou.
Protocol teams and on-chain investigators are tracking the new transfers and the recipient addresses. LayerZero, Arbitrum and Aave have each issued statements or taken actions related to verifier configurations, asset freezes and market access as tracing and remediation continue.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
