Kelp Exploiter Launders $175M in Stolen Funds via THORChain, Umbra

Alvin Lang Apr 21, 2026 12:40

Kelp DAO exploiter begins laundering $175M in ETH post $290M hack using decentralized protocols like THORChain. Arbitrum freezes 30,766 ETH.

The hacker behind the $290 million Kelp DAO exploit has started laundering stolen funds, moving $175 million worth of Ether (ETH) across newly created blockchain addresses. Blockchain analytics platform Arkham reported that the attacker transferred 75,700 ETH on Tuesday, with 25,000 ETH sent to a fresh address and over 50,700 ETH redirected to another wallet. The activity signals a shift toward obfuscating the stolen funds through non-custodial protocols.

Blockchain investigator ZachXBT revealed that the exploiter utilized decentralized mixing services like THORChain and Umbra to process smaller portions of the funds. Three transactions totaling $1.5 million passed through THORChain, while a $78,000 transfer was executed via Umbra. These protocols lack traditional Know Your Customer (KYC) requirements, complicating asset recovery efforts.

Fallout Deepens Across DeFi

The April 18 exploit targeted Kelp DAO’s LayerZero-powered rsETH bridge, draining 116,500 restaked Ether (rsETH). The breach leveraged a vulnerability in the bridge's 1-of-1 Decentralized Verifier Network (DVN) configuration, creating a single point of failure. The attacker minted unbacked rsETH, later deployed as collateral on platforms like Aave and Compound to borrow Wrapped Ether (WETH).

The incident has left Aave grappling with significant bad debt. Initial assessments estimated the hole at $195 million, but Aave’s latest risk report suggests losses could range from $123.7 million to $230.1 million, depending on market conditions. Meanwhile, Aave unfroze Wrapped Ether reserves on its Ethereum Core V3 market on Tuesday, although other reserves across networks like Arbitrum and Base remain locked. Liquidity concerns have pushed borrowing rates for Tether (USDT) on Aave to 14%, the highest since December 2024, according to CryptoQuant’s Julio Moreno.

The exploit’s ripple effects have also impacted Arbitrum, whose security council froze 30,766 ETH ($65 million) connected to the hack. The frozen assets now reside in an intermediary wallet accessible only via governance, reflecting growing efforts among decentralized projects to mitigate further damage.

Implications for Crypto Security

This incident underscores persistent vulnerabilities in DeFi infrastructure, particularly in cross-chain protocols. Kelp DAO and LayerZero have engaged in a public blame game, with Kelp DAO alleging an infrastructure breach and LayerZero pointing to the risky bridge configuration as the root cause. The exploit also highlights the growing sophistication of laundering techniques, with parallels drawn to the 2025 Bybit hack where attackers funneled 72% of stolen funds through THORChain.

While funds tied to the Kelp DAO exploit are partially traceable, the use of decentralized protocols may render a full recovery unlikely. DeFi projects, investors, and regulators alike are now grappling with the need for stronger security measures and governance frameworks in the wake of this high-profile attack.

As the investigation unfolds, the crypto community will be watching closely for further movements of the stolen funds and any coordinated recovery efforts. For now, the $290 million exploit stands as one of the largest in DeFi history, with far-reaching consequences for the broader ecosystem.

• kelp dao
• defi
• ethereum
• aave
• thorchain