KelpDAO Hacker Moves 75,701 ETH to Mainnet, Routes $175M to BTC
After Arbitrum froze 30,766 ETH, the KelpDAO attacker moved 75,701 ETH to Ethereum mainnet and started routing about $175 million into bitcoin via Thorchain, Umbra Cash and Chainflip.
Hours after the Arbitrum Security Council froze 30,766 ETH tied to the KelpDAO breach, the attacker moved 75,701 ETH to the Ethereum mainnet and began converting roughly $175 million of the funds into bitcoin using decentralized bridges and mixers.
On April 18 the attacker drained about $292 million from KelpDAO’s Layerzero-powered bridge. Early on April 21 the Arbitrum Security Council executed an emergency freeze on 30,766 ETH held on Arbitrum One, recovering roughly $71 million and about 29% of the ether the exploiter had accumulated across chains.
Dragonfly partner Haseeb Qureshi described the council’s action as a privileged system-level transaction that forcibly clawed back the funds and bypassed the attacker’s wallet controls. KelpDAO acknowledged the intervention and said it had worked with the council and ecosystem stakeholders over two days to carry out the freeze.
Following the freeze, the attacker emptied the Arbitrum address and moved 75,701 ETH to the Ethereum mainnet. Security firm Peckshield reported the exploiter began laundering the assets in small batches, bridging them to bitcoin via Thorchain, Umbra Cash and Chainflip. Onchain records show the original exploiter address now holds less than 0.768 ETH, suggesting it has been largely cleared for gas fees.
Layerzero attributed the original attack to North Korea’s Lazarus Group and its Trader Traitor subunit, citing onchain and operational patterns consistent with prior state-sponsored campaigns. Blockchain investigators and security teams are tracking the flow of funds across multiple networks and alerting infrastructure providers when assets touch on-ramps or custodial services.
Data compiled on recent losses shows total DeFi thefts exceeded $600 million over the past three weeks while the sector’s total value locked fell about 25% to $82.4 billion. Arbitrum’s freeze recovered an estimated $71 million of the stolen ether on Arbitrum One; the remaining funds shifted to Ethereum and then toward bitcoin, where recovery depends on tracing transactions and any interaction with centralized services.
Investigations are ongoing. KelpDAO and multiple security teams remain engaged in efforts to track the stolen assets and pursue recovery where possible.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
