KelpDAO Exploiter Moves 75,701 ETH to Mainnet, Begins Routing $175M to Bitcoin

Key Takeaways:

• After Arbitrum froze 30,766 ETH ($71M), the KelpDAO exploiter moved 75,701 ETH ($175M) to the Ethereum mainnet.
• Peckshield confirmed the attacker is routing stolen funds to bitcoin via Thorchain, Umbra Cash, and Chainflip.
• Lazarus Group’s KelpDAO haul adds to $600M+ in DeFi losses over three weeks as TVL falls 25%.

Arbitrum Freeze Triggers Immediate Response

The KelpDAO exploiter drained approximately $292 million from the liquid restaking protocol’s Layerzero-powered bridge on April 18, in what has become the largest decentralized finance ( DeFi) exploit of 2026.

Earlier today, the Arbitrum Security Council executed an emergency freeze on 30,766 ETH ($71.15 million) held by the attacker on Arbitrum One. Dragonfly partner Haseeb Qureshi confirmed the council used a privileged system-level transaction to forcibly claw back the funds, completely bypassing the attacker’s wallet controls.

KelpDAO acknowledged the action as well, thanking the Security Council and noting the team had worked closely with the council and ecosystem stakeholders over two days to execute the intervention.

The freeze recovered approximately 29% of the ether the exploiter had accumulated across chains following the original breach.

Attacker Empties Address, Routes Funds Toward Bitcoin

Following the Arbitrum freeze, the KelpDAO hacker moved all 75,701 ETH ($175 million) remaining on Ethereum and began laundering the funds. Security firm Peckshield flagged the specific laundering route, highlighting that the exploiter bridged stolen funds in small batches to bitcoin via Thorchain, Umbra Cash, and Chainflip. These decentralized protocols enabled direct cross-chain asset swaps between Ethereum and the Bitcoin network without a centralized intermediary.

Peckshield also noted that less than 0.768 ETH for gas remains in the original exploiter address, meaning the wallet has largely cleared out.

Layerzero attributed the original KelpDAO attack to North Korea’s Lazarus Group and its Trader Traitor subunit, citing onchain and operational tactics consistent with prior state-sponsored campaigns. Wu Blockchain data shows the KelpDAO hack has pushed total DeFi losses above $600 million over the past three weeks, as the broader ecosystem’s total value locked fell 25% to $82.4 billion.