- Arbitrum froze 30,766 ETH earlier than freezing.
- The attacker moved 75,701 ETH and commenced transferring funds to Bitcoin.
- Greater than $176 million was laundered by way of a number of parallel flows.
Arbitrum has frozen a good portion of the funds related to the KelpDAO exploit, even because the attackers try and push the remaining belongings out of attain.
The Arbitration and Safety Council confirmed that it had frozen 30,766 ETH value over $70 million on the time of the motion.
The funds have been tied to addresses related to the KelpDAO attackers and have been secured earlier than being bridged out of the community.
The intervention was carried out in coordination with regulation enforcement, suggesting authorities might have already got clues as to the identification of the exploiters.
The Arbitrum Safety Council has taken emergency motion to freeze 30,766 ETH held in addresses on Arbitrum One associated to the KelpDAO exploit. The Safety Council acts on data from regulation enforcement companies relating to the identification of exploiters and at all times…
— Arbitrum (@arbitrum) April 21, 2026
race in opposition to time
Blockchain researchers, together with PeckShield, had warned that attackers have been already making an attempt to make use of native bridges to maneuver funds out of Arbitrum.
Had the switch been accomplished, ETH would seemingly have joined a a lot bigger pool of stolen belongings already circulating on different chains.
By intervening at the moment, Arbitrum prevented roughly 29% of the stolen funds from getting into the laundering pipeline. Nonetheless, the remaining belongings weren’t so fortunate.
The KelpDAO exploit itself is estimated at roughly $290 million, making it one of many largest decentralized finance breaches of 2026.
The attackers sprang into motion shortly after the preliminary exploit, splitting the funds throughout a number of wallets and chains to cut back traceability.
Laundering strikes to Bitcoin
After the freeze, the attackers accelerated efforts to maneuver the remaining funds.
In keeping with the information, roughly 75,701 ETH value roughly $175 million was transferred to Ethereum mainnet.
From there, funds started transferring into Bitcoin by way of decentralized protocols comparable to THORChain, Chainflip, and Umbra Money. These protocols allow cross-chain swaps straight with out counting on a centralized change.
#PecShieldAlert of @KelpDAO The exploiters started laundering the stolen funds (roughly $176 million).
They began bridging small batches of funds from. #Ethereum to $BTC by way of @THORChain, @UmbraCash, @chainflipand @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShield Alert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attackers left solely about 0.7 ETH in some wallets, sufficient to cowl transaction charges, and funneled the remaining into new routes.
This sample displays a excessive diploma of operational self-discipline and planning.
An extra $176 million portion of the stolen funds was additionally actively transferred in parallel transactions.
The attacker seems to be operating a number of streams concurrently, quite than laundering all the things in a single move.
This phased strategy reduces the danger of single factors of failure and makes restoration efforts tougher.
Is the notorious North Korean Lazarus Group related to the KelpDAO exploit?
As a result of scale and coordination of the operation, regulation enforcement has linked the exploit to North Korea’s Lazarus Group, particularly a subgroup generally known as TraderTraitor.
This attribute relies on transaction patterns and laundering strategies that match earlier operations related to the group.
Lazarus has an extended historical past of concentrating on crypto platforms and utilizing complicated cross-chain methods to cover stolen funds.
Using decentralized bridges and fast asset conversion seen within the KelpDAO story suits effectively into that sample.