Privacy-focused protocol Umbra has taken its hosted front end offline after identifying that roughly $800,000 in stolen assets moved through the service following recent high-profile breaches. The team said the hosted interface is in maintenance while it works to restore access in a way that does not hinder ongoing recovery and trace efforts.
The move follows the large-scale exploit of the Kelp protocol, an attack that reportedly drained more than $280 million and which some observers have linked to North Korean–affiliated hackers. Reporting indicates the exploiter attempted to use services including Umbra to shift funds from Ether toward Bitcoin. U.S. authorities have sanctioned North Korean hacking groups, and multiple crypto platforms have been trying to block or freeze the movement of the stolen assets.
Umbra warned that disabling its hosted front end only reduces ease of access; it does not prevent anyone from interacting directly with Umbra’s smart contracts or from running a local or self-hosted copy of its open-source front end. The project stressed that its privacy design protects receiver identities rather than senders, and that transactions routed through its contracts can still be traced. Umbra also said it is coordinating with security researchers involved in response efforts.
Roman Storm, co-founder of Tornado Cash, cautioned that removing a hosted interface may not shield a project from legal scrutiny. Storm — who in August was convicted on charges tied to operating an unlicensed money transmitting business after arguing he lacked control over how Tornado Cash was used — said prosecutors rejected claims of noncontrol. He has argued authorities view the capacity to modify a user interface or deploy updates (including to builds on IPFS) as evidence of control over a protocol.
Umbra’s decision aims to make the service less convenient for potential abusers, but Storm’s experience suggests regulators and prosecutors may consider such steps insufficient if they conclude operators retain the ability to influence or restrict access. Umbra maintains that its architecture does not provide sender anonymity and that activity routed via its contracts remains identifiable to support recovery and enforcement efforts.
This report was produced in line with independent editorial standards; readers are encouraged to verify details from primary sources and official statements.