- Arbitrum froze 30,766 ETH earlier than freezing.
- The attacker moved 75,701 ETH and commenced transferring funds to Bitcoin.
- Greater than $176 million was laundered by a number of parallel flows.
Arbitrum has frozen a good portion of the funds related to the KelpDAO exploit, even because the attackers try to push the remaining property out of attain.
The Arbitration and Safety Council confirmed that it had frozen 30,766 ETH value over $70 million on the time of the motion.
The funds have been tied to addresses related to the KelpDAO attackers and have been secured earlier than being bridged out of the community.
The intervention was carried out in coordination with legislation enforcement, suggesting authorities might have already got clues as to the id of the exploiters.
The Arbitrum Safety Council has taken emergency motion to freeze 30,766 ETH held in addresses on Arbitrum One associated to the KelpDAO exploit. The Safety Council acts on data from legislation enforcement businesses concerning the id of exploiters and at all times…
— Arbitrum (@arbitrum) April 21, 2026
race towards time
Blockchain researchers, together with PeckShield, had warned that attackers have been already making an attempt to make use of native bridges to maneuver funds out of Arbitrum.
Had the switch been accomplished, ETH would probably have joined a a lot bigger pool of stolen property already circulating on different chains.
By intervening at the moment, Arbitrum prevented roughly 29% of the stolen funds from getting into the laundering pipeline. Nevertheless, the remaining property weren’t so fortunate.
The KelpDAO exploit itself is estimated at roughly $290 million, making it one of many largest decentralized finance breaches of 2026.
The attackers sprang into motion shortly after the preliminary exploit, splitting the funds throughout a number of wallets and chains to scale back traceability.
Laundering strikes to Bitcoin
After the freeze, the attackers accelerated efforts to maneuver the remaining funds.
In line with the info, roughly 75,701 ETH value roughly $175 million was transferred to Ethereum mainnet.
From there, funds started shifting into Bitcoin through decentralized protocols reminiscent of THORChain, Chainflip, and Umbra Money. These protocols allow cross-chain swaps straight with out counting on a centralized alternate.
#PecShieldAlert of @KelpDAO The exploiters started laundering the stolen funds (roughly $176 million).
They began bridging small batches of funds from. #Ethereum to $BTC through @THORChain, @UmbraCash, @chainflipand @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShield Alert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attackers left solely about 0.7 ETH in some wallets, sufficient to cowl transaction charges, and funneled the remaining into new routes.
This sample displays a excessive diploma of operational self-discipline and planning.
An extra $176 million portion of the stolen funds was additionally actively transferred in parallel transactions.
The attacker seems to be working a number of streams concurrently, relatively than laundering every part in a single stream.
This phased method reduces the danger of single factors of failure and makes restoration efforts tougher.
Is the notorious North Korean Lazarus Group related to the KelpDAO exploit?
As a result of scale and coordination of the operation, legislation enforcement has linked the exploit to North Korea’s Lazarus Group, particularly a subgroup referred to as TraderTraitor.
This attribute relies on transaction patterns and laundering methods that match earlier operations related to the group.
Lazarus has a protracted historical past of focusing on crypto platforms and utilizing advanced cross-chain methods to cover stolen funds.
The usage of decentralized bridges and fast asset conversion seen within the KelpDAO story suits nicely into that sample.