- Arbitrum froze 30,766 ETH earlier than freezing.
- The attacker moved 75,701 ETH and started transferring funds to Bitcoin.
- Greater than $176 million was laundered by way of a number of parallel flows.
Arbitrum has frozen a good portion of the funds related to the KelpDAO exploit, even because the attackers try and push the remaining property out of attain.
The Arbitration and Safety Council confirmed that it had frozen 30,766 ETH value over $70 million on the time of the motion.
The funds had been tied to addresses related to the KelpDAO attackers and had been secured earlier than being bridged out of the community.
The intervention was carried out in coordination with legislation enforcement, suggesting authorities could have already got clues as to the identification of the exploiters.
The Arbitrum Safety Council has taken emergency motion to freeze 30,766 ETH held in addresses on Arbitrum One associated to the KelpDAO exploit. The Safety Council acts on info from legislation enforcement businesses relating to the identification of exploiters and all the time…
— Arbitrum (@arbitrum) April 21, 2026
race towards time
Blockchain researchers, together with PeckShield, had warned that attackers had been already making an attempt to make use of native bridges to maneuver funds out of Arbitrum.
Had the switch been accomplished, ETH would seemingly have joined a a lot bigger pool of stolen property already circulating on different chains.
By intervening at the moment, Arbitrum prevented roughly 29% of the stolen funds from coming into the laundering pipeline. Nonetheless, the remaining property weren’t so fortunate.
The KelpDAO exploit itself is estimated at roughly $290 million, making it one of many largest decentralized finance breaches of 2026.
The attackers sprang into motion shortly after the preliminary exploit, splitting the funds throughout a number of wallets and chains to cut back traceability.
Laundering strikes to Bitcoin
After the freeze, the attackers accelerated efforts to maneuver the remaining funds.
In accordance with the info, roughly 75,701 ETH value roughly $175 million was transferred to Ethereum mainnet.
From there, funds started transferring into Bitcoin through decentralized protocols equivalent to THORChain, Chainflip, and Umbra Money. These protocols allow cross-chain swaps straight with out counting on a centralized alternate.
#PecShieldAlert of @KelpDAO The exploiters started laundering the stolen funds (roughly $176 million).
They began bridging small batches of funds from. #Ethereum to $BTC through @THORChain, @UmbraCash, @chainflipand @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShield Alert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attackers left solely about 0.7 ETH in some wallets, sufficient to cowl transaction charges, and funneled the remainder into new routes.
This sample displays a excessive diploma of operational self-discipline and planning.
A further $176 million portion of the stolen funds was additionally actively transferred in parallel transactions.
The attacker seems to be operating a number of streams concurrently, fairly than laundering all the things in a single circulation.
This phased strategy reduces the chance of single factors of failure and makes restoration efforts tougher.
Is the notorious North Korean Lazarus Group related to the KelpDAO exploit?
Because of the scale and coordination of the operation, legislation enforcement has linked the exploit to North Korea’s Lazarus Group, particularly a subgroup referred to as TraderTraitor.
This attribute is predicated on transaction patterns and laundering strategies that match earlier operations related to the group.
Lazarus has an extended historical past of focusing on crypto platforms and utilizing advanced cross-chain methods to cover stolen funds.
The usage of decentralized bridges and speedy asset conversion seen within the KelpDAO story matches effectively into that sample.