Blockchain monitors say the attacker behind the Kelp DAO breach has begun shifting large sums of stolen Ether into newly created addresses, an apparent step toward laundering roughly $175 million in proceeds. Arkham flagged a wallet linked to the exploit that moved about 75,700 ETH across three transactions on Tuesday: 25,000 ETH to one fresh address, and 50,700 ETH plus 0.7 ETH to another.
Independent investigator ZachXBT reported the attacker also routed portions of the haul through noncustodial services, identifying three THORChain transactions totaling about $1.5 million and a separate transfer of roughly $78,000 via Umbra. Those platforms can make tracing and recovery more difficult because they do not enforce traditional KYC checks.
The transfers follow a Saturday exploit that drained roughly 116,500 restaked Ether (rsETH) — valued at about $290–$293 million — from Kelp DAO’s rsETH bridge, which runs on LayerZero. LayerZero said the DAO’s 1-of-1 decentralized verifier network (DVN) configuration created a single point of failure by relying on a single verifier path for cross-chain messages and noted it had previously warned about that setup.
Arbitrum’s 12-member security council acted quickly to limit damage, freezing 30,766 ETH tied to the exploit and moving those funds into an “intermediary frozen wallet” that can be accessed only by Arbitrum governance. The attacker also used stolen assets as collateral across other DeFi platforms, most notably Aave.
Aave’s early estimates of exposure were about $195 million. A later incident report described two possible loss outcomes: roughly $123.7 million or about $230.1 million in bad debt, depending on how positions and recoveries play out.
The use of services like THORChain has precedent in large crypto thefts: during the $1.4 billion Bybit hack in 2025, attackers converted roughly 83% of stolen ETH into BTC and routed 72% of that through THORChain, though Bybit later said about 77% of those funds remained traceable.
Operational moves by protocols have varied. On Tuesday Aave unfroze Wrapped Ether (WETH) reserves on its Ethereum Core V3 market, restoring the ability for users to supply WETH to that V3 lending pool. WETH markets on Ethereum Prime, Arbitrum, Base, Mantle and Linea, however, remain frozen. Reduced liquidity pushed Aave’s USDT borrow rate from around 3% to roughly 14% — its highest level since December 2024 — and prompted heavy outflows: Aave’s total value locked dropped by about $10 billion to roughly $16.4 billion, according to DefiLlama.
Investigators from affected projects and blockchain analytics firms continue to monitor on-chain movement closely, tracking routing through mixers and noncustodial bridges and looking for attempts to obscure the funds’ provenance. Recovery and attribution efforts remain ongoing.