Majority of Kelp DAO exploit funds moved through THORChain

Kelp DAO exploiter has moved to launder nearly all stolen ETH, leaving only frozen funds within reach.

According to blockchain analyst EmberCN, the attacker has routed roughly 75,700 ETH through cross-chain liquidity protocol THORChain, converting the assets into Bitcoin and generating about $910,000 in fees for the platform. 

The attacker began moving funds earlier this week, when the funds were split across newly created wallets before being cycled through THORChain and privacy tool Umbra.

Arkham data shows the attacker’s primary wallet has now been largely emptied. 

Transaction flows point to a clear attempt to exit positions rather than hold the proceeds, with Arkham noting that the “attackers are executing an exit strategy rather than sitting on the proceeds.”

Movement through THORChain has made the trail harder to follow, reducing the likelihood of recovering the funds.

As of publication time, only a portion of the stolen assets remains contained. 

Arbitrum’s Security Council has frozen 30,766 ETH tied to the exploit and transferred it into an intermediary wallet, where it can only be accessed through governance approval. 

The network said the intervention was carried out without disrupting operations, adding that it acted “with input from law enforcement as to the exploiter’s identity” while prioritising the integrity of the ecosystem.

Laundered funds narrow recovery window

Five days earlier, the attacker had drained around 116,500 restaked Ether from Kelp DAO’s LayerZero-based bridge, an exploit valued between $290 million and $293 million at the time. 

Part of those assets was later used within Aave, where the attacker posted rsETH as collateral to borrow against the protocol.

Efforts to contain the fallout are still ongoing. 

“Our priority is our users, and every decision we are making is aimed at an orderly return to normal market conditions and the best possible outcome for everyone involved,” Aave founder Stani Kulechov said in a recent X post. 

Meanwhile, the Kelp DAO team has confirmed that work is underway toward a “suitable resolution” while focusing on safeguarding users and “strengthening the protocol.”

So far, initial containment measures have helped limit some damage. Kelp DAO paused contracts and blacklisted attacker-linked wallets, preventing an additional 40,000 rsETH, worth roughly $95 million, from being drained.

Investigations into the breach have pointed to weaknesses in the bridge’s security setup. 

Preliminary findings from LayerZero suggested that compromised RPC nodes allowed a fraudulent cross-chain message to pass verification, with criticism directed at the use of a 1-of-1 validation configuration. 

Kelp DAO has contested that claim and has argued that the setup followed default documentation and had been previously confirmed as appropriate.