The attacker behind the roughly $290 million Kelp DAO exploit began moving tens of thousands of Ether to newly created addresses on Tuesday, appearing to start laundering the stolen funds.
Arkham flagged a wallet linked to the Kelp DAO exploit that moved about 75,700 ETH — roughly $175 million — across three transactions: 25,000 ETH to one new address, and 50,700 ETH plus 0.7 ETH to another. Blockchain investigator ZachXBT reported the attacker routed funds through THORChain and Umbra, identifying three THORChain transactions totaling about $1.5 million and a separate ~$78,000 transfer via Umbra.
The initial exploit on Saturday drained about 116,500 restaked Ether (rsETH), valued at roughly $290–$293 million, from Kelp DAO’s LayerZero-powered rsETH bridge. LayerZero said Kelp DAO’s 1/1 decentralized verifier network (DVN) configuration created a single point of failure by relying on a single verifier path for cross-chain messages and that it had previously warned against that setup.
Arbitrum’s 12-member security council moved quickly: it froze 30,766 ETH tied to the exploit and placed those funds into an “intermediary frozen wallet” accessible only through Arbitrum governance. The exploit also affected other DeFi protocols, notably Aave, where the attacker used stolen assets as collateral to borrow. Early Aave estimates put the exposure at about $195 million; a subsequent incident report outlined two potential loss scenarios of roughly $123.7 million or about $230.1 million in bad debt.
The recent transfers indicate the attacker is using noncustodial protocols that can complicate tracing and recovery. THORChain, which does not require standard Know Your Customer checks, has been used in previous large thefts: during the $1.4 billion Bybit hack in 2025, attackers converted about 83% of stolen ETH into BTC, with 72% routed through THORChain. Bybit’s CEO later said around 77% of those funds remained traceable.
Aave on Tuesday unfroze Wrapped Ether (WETH) reserves on its Ethereum Core V3 market, allowing users to supply WETH to the V3 lending protocol again; WETH markets on Ethereum Prime, Arbitrum, Base, Mantle and Linea remain frozen. Reduced liquidity pushed Aave’s borrow rate for USDT from about 3% to 14%, the highest since December 2024, and fears of contagion prompted significant outflows: Aave’s total value locked fell by roughly $10 billion to about $16.4 billion as of Tuesday, per DefiLlama.
Investigators continue to monitor on-chain movements as teams from affected protocols and blockchain analytic firms track the flow of funds and any attempts to obscure provenance.