.png){kind=logo}
The attacker behind the Kelp DAO exploit has laundered a large share of the stolen crypto, while the damage continues to spread across DeFi. On-chain activity showed the exploiter moved about 34,500 ETH, valued near $175 million, after the April 18 attack that drained roughly $290 million from Kelp DAO’s rsETH bridge setup. LayerZero said early evidence points to North Korea’s Lazarus Group, specifically TraderTraitor.
Most of the moved ETH was swapped into Bitcoin through THORChain, showing how quickly the attacker shifted funds across chains. THORChain’s own dashboard showed 24-hour volume at about $371 million on April 22, far above its usual range and consistent with the laundering wave tied to the exploit.
The fallout has also hit Aave, where rsETH had been used as collateral. Aave governance reports said the incident created bad-debt exposure across several markets, while DeFiLlama data showed Aave’s total value locked falling sharply from pre-hack levels.
The laundering phase became the central development after the exploit. On-chain tracking showed the attacker routed most of the stolen ETH through THORChain, using direct cross-chain swaps to convert Ether into Bitcoin. This method has drawn attention in past major hacks because it removes the need for a centralized intermediary.
THORChain’s dashboard reflected the surge in real time. The protocol showed about $371 million in 24-hour volume, a sharp increase from normal daily activity. Reports tied the spike directly to exploit-linked flows moving through the network.
THORChain has maintained that its network operates without a central controller or a single party able to freeze funds. That structure has kept the protocol in focus again as investigators trace exploit-related transactions across multiple addresses and routes.
On-chain reports also showed attackers using LayerZero to move part of the stolen funds, including one $500,000 transfer flagged by blockchain analysts.
Arbitrum took emergency action against part of the stolen funds. The network’s Security Council froze 30,766 ETH linked to the exploiter on Arbitrum One, cutting off access to assets valued at approximately $71 million at the time.
Arbitrum said it moved the ETH into a frozen intermediary wallet under governance safeguards. The network added that the action targeted attacker-linked assets only and did not affect other users, apps, or broader operations.
LayerZero also said the attackers did not exploit its core protocol. Instead, the company said they compromised downstream RPC nodes used by the LayerZero Labs DVN and pressured healthy nodes with DDoS attacks, enabling false approvals during the theft. LayerZero added that Kelp DAO had used a single-verifier setup rather than the multi-verifier model it had recommended.
The exploit has left Aave facing a difficult recovery process. Aave’s incident report said 11 markets listed rsETH or wrsETH, and all 11 have now frozen the asset. The governance report estimated total bad debt at roughly $123 million to $230 million, depending on recovery and allocation outcomes.
The market reaction was immediate. DeFiLlama data showed Aave’s TVL falling from about $26.4 billion before the hack to as low as roughly $15.8 billion during the two-day fallout. That drop reflected fast withdrawals as users reassessed bridge risk and collateral quality across the protocol.
For now, the Kelp DAO exploit remains a live DeFi risk event rather than a closed incident. Investigators continue tracking the laundering trail. Arbitrum still holds a frozen portion of the funds, and Aave governance must decide how to absorb losses if recovery falls short.
Also Read: Ethereum (ETH) Long-Term Price Prediction 2026–2040 Explained
