- Arbitrum froze 30,766 ETH earlier than freezing.
- The attacker moved 75,701 ETH and started transferring funds to Bitcoin.
- Greater than $176 million was laundered via a number of parallel flows.
Arbitrum has frozen a good portion of the funds related to the KelpDAO exploit, even because the attackers try to push the remaining belongings out of attain.
The Arbitration and Safety Council confirmed that it had frozen 30,766 ETH price over $70 million on the time of the motion.
The funds have been tied to addresses related to the KelpDAO attackers and have been secured earlier than being bridged out of the community.
The intervention was carried out in coordination with regulation enforcement, suggesting authorities might have already got clues as to the id of the exploiters.
The Arbitrum Safety Council has taken emergency motion to freeze 30,766 ETH held in addresses on Arbitrum One associated to the KelpDAO exploit. The Safety Council acts on info from regulation enforcement companies relating to the id of exploiters and at all times…
— Arbitrum (@arbitrum) April 21, 2026
race towards time
Blockchain researchers, together with PeckShield, had warned that attackers have been already making an attempt to make use of native bridges to maneuver funds out of Arbitrum.
Had the switch been accomplished, ETH would seemingly have joined a a lot bigger pool of stolen belongings already circulating on different chains.
By intervening at the moment, Arbitrum prevented roughly 29% of the stolen funds from coming into the laundering pipeline. Nonetheless, the remaining belongings weren’t so fortunate.
The KelpDAO exploit itself is estimated at roughly $290 million, making it one of many largest decentralized finance breaches of 2026.
The attackers sprang into motion shortly after the preliminary exploit, splitting the funds throughout a number of wallets and chains to scale back traceability.
Laundering strikes to Bitcoin
After the freeze, the attackers accelerated efforts to maneuver the remaining funds.
In keeping with the info, roughly 75,701 ETH price roughly $175 million was transferred to Ethereum mainnet.
From there, funds started transferring into Bitcoin through decentralized protocols comparable to THORChain, Chainflip, and Umbra Money. These protocols allow cross-chain swaps instantly with out counting on a centralized trade.
#PecShieldAlert of @KelpDAO The exploiters started laundering the stolen funds (roughly $176 million).
They began bridging small batches of funds from. #Ethereum to $BTC through @THORChain, @UmbraCash, @chainflipand @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShield Alert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attackers left solely about 0.7 ETH in some wallets, sufficient to cowl transaction charges, and funneled the remaining into new routes.
This sample displays a excessive diploma of operational self-discipline and planning.
A further $176 million portion of the stolen funds was additionally actively transferred in parallel transactions.
The attacker seems to be working a number of streams concurrently, relatively than laundering every thing in a single stream.
This phased method reduces the danger of single factors of failure and makes restoration efforts tougher.
Is the notorious North Korean Lazarus Group linked to the KelpDAO exploit?
Because of the scale and coordination of the operation, regulation enforcement has linked the exploit to North Korea’s Lazarus Group, particularly a subgroup often called TraderTraitor.
This attribute is predicated on transaction patterns and laundering strategies that match earlier operations related to the group.
Lazarus has an extended historical past of focusing on crypto platforms and utilizing complicated cross-chain methods to cover stolen funds.
Using decentralized bridges and fast asset conversion seen within the KelpDAO story matches effectively into that sample.