- Arbitrum froze 30,766 ETH earlier than freezing.
- The attacker moved 75,701 ETH and started transferring funds to Bitcoin.
- Greater than $176 million was laundered by way of a number of parallel flows.
Arbitrum has frozen a good portion of the funds related to the KelpDAO exploit, even because the attackers try to push the remaining belongings out of attain.
The Arbitration and Safety Council confirmed that it had frozen 30,766 ETH price over $70 million on the time of the motion.
The funds have been tied to addresses related to the KelpDAO attackers and have been secured earlier than being bridged out of the community.
The intervention was carried out in coordination with legislation enforcement, suggesting authorities could have already got clues as to the id of the exploiters.
The Arbitrum Safety Council has taken emergency motion to freeze 30,766 ETH held in addresses on Arbitrum One associated to the KelpDAO exploit. The Safety Council acts on data from legislation enforcement businesses relating to the id of exploiters and at all times…
— Arbitrum (@arbitrum) April 21, 2026
race in opposition to time
Blockchain researchers, together with PeckShield, had warned that attackers have been already making an attempt to make use of native bridges to maneuver funds out of Arbitrum.
Had the switch been accomplished, ETH would seemingly have joined a a lot bigger pool of stolen belongings already circulating on different chains.
By intervening at the moment, Arbitrum prevented roughly 29% of the stolen funds from getting into the laundering pipeline. Nonetheless, the remaining belongings weren’t so fortunate.
The KelpDAO exploit itself is estimated at roughly $290 million, making it one of many largest decentralized finance breaches of 2026.
The attackers sprang into motion shortly after the preliminary exploit, splitting the funds throughout a number of wallets and chains to scale back traceability.
Laundering strikes to Bitcoin
After the freeze, the attackers accelerated efforts to maneuver the remaining funds.
In response to the info, roughly 75,701 ETH price roughly $175 million was transferred to Ethereum mainnet.
From there, funds started shifting into Bitcoin through decentralized protocols corresponding to THORChain, Chainflip, and Umbra Money. These protocols allow cross-chain swaps immediately with out counting on a centralized change.
#PecShieldAlert of @KelpDAO The exploiters started laundering the stolen funds (roughly $176 million).
They began bridging small batches of funds from. #Ethereum to $BTC through @THORChain, @UmbraCash, @chainflipand @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShield Alert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attackers left solely about 0.7 ETH in some wallets, sufficient to cowl transaction charges, and funneled the remainder into new routes.
This sample displays a excessive diploma of operational self-discipline and planning.
A further $176 million portion of the stolen funds was additionally actively transferred in parallel transactions.
The attacker seems to be operating a number of streams concurrently, fairly than laundering every part in a single move.
This phased strategy reduces the chance of single factors of failure and makes restoration efforts harder.
Is the notorious North Korean Lazarus Group linked to the KelpDAO exploit?
As a result of scale and coordination of the operation, legislation enforcement has linked the exploit to North Korea’s Lazarus Group, particularly a subgroup referred to as TraderTraitor.
This attribute is predicated on transaction patterns and laundering strategies that match earlier operations related to the group.
Lazarus has an extended historical past of concentrating on crypto platforms and utilizing advanced cross-chain methods to cover stolen funds.
Using decentralized bridges and fast asset conversion seen within the KelpDAO story matches nicely into that sample.