The KelpDAO exploit has rapidly evolved into one of the most complex and closely watched DeFi incidents of 2026. What began as a targeted bridge attack has now escalated into an active laundering operation, with tens of thousands of ETH moving across newly created wallets and privacy protocols. Despite swift intervention from Arbitrum’s Security Council, a significant portion of the stolen funds remains in motion, raising fresh concerns over cross-chain security, governance response, and the broader resilience of decentralized finance systems.
The KelpDAO Exploit: How It Started
On April 18, 2026, KelpDAO suffered a catastrophic security breach. Attackers drained approximately $292 million from the protocol’s LayerZero-powered bridge. The exploit targeted KelpDAO’s rsETH liquid restaking token, siphoning roughly 116,500 rsETH — about 18.5% of the total circulating supply.
The method was precise. Attackers first seized two key bridge verifier servers. They then knocked the remaining servers offline with a distributed denial-of-service (DDoS) attack. With only the compromised servers running, LayerZero approved fraudulent transactions without detecting the manipulation.
The event immediately became the largest DeFi hack of 2026, overtaking the $285 million Drift Protocol exploit that occurred just weeks earlier.
Arbitrum Security Council Freezes 30,766 ETH
Arbitrum’s Security Council moved quickly after the breach. On April 20, the council identified the exploiter’s wallet on Arbitrum One. It then transferred 30,766 ETH, worth approximately $71 million, to a protocol-controlled address before the attacker could bridge the funds back to Ethereum mainnet.
Arbitrum confirmed the action on X, stating the council acted with input from law enforcement regarding the exploiter’s identity. The freeze executed without disrupting any user activity or network applications.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
— Arbitrum (@arbitrum) April 21, 2026
The frozen funds now sit in an intermediary wallet. Any further movement requires a full Arbitrum DAO governance vote. Arbitrum widely suspects the North Korean Lazarus Group as the attacker behind the exploit.
PeckShieldAlert Flags 75,700 ETH Moving to Two New Addresses
Minutes after Arbitrum announced the freeze, on-chain security firm PeckShieldAlert raised a critical alert on X:
#PeckShieldAlert @KelpDAO exploiter has moved 75.7K $ETH to 2 new addresses pic.twitter.com/cerLy7DMYK
— PeckShieldAlert (@PeckShieldAlert) April 21, 2026
On-chain data confirmed the transfers split into two parts. Around 25,000 ETH ($57.93 million) moved to address 0xF980…15910. The remaining 50,700 ETH ($117.48 million) went to address 0xABc8…36FAD.
On-chain trackers labeled the source wallet as “Kelp DAO Exploiter 1.” Both destination wallets were newly created, with no prior transaction history, a common tactic to hinder tracing.
CertiK Alert Confirms Bitcoin Bridge via THORChain
Shortly after PeckShield’s warning, blockchain security firm CertiK Alert issued its own update, revealing the attacker had escalated their laundering operation:
The @KelpDAO attacker is currently moving funds to Bitcoin Network via @THORChain. pic.twitter.com/r7AKm73cC0
— CertiK Alert (@CertiKAlert) April 21, 2026
THORChain is a decentralized cross-chain protocol. It allows users to swap assets between blockchains, including Ethereum and Bitcoin, without using a centralized exchange. This makes it harder for investigators to track fund flows.
On-chain investigator ZachXBT confirmed that approximately $1.5 million moved from Ethereum to Bitcoin through THORChain. A further $78,000 was routed through Umbra, a stealth address privacy protocol that uses one-time addresses to mask transaction trails.
Umbra Cash and Tornado Cash Add More Privacy Layers
The attacker used multiple privacy tools in combination. Funds passed through Tornado Cash first, then split across THORChain and Umbra. This multi-layered approach significantly complicates blockchain forensics efforts.
Security teams at Arkham Intelligence confirmed the hacker’s primary wallet still held a large ETH balance. Outflows continued routing through a secondary address tied to UmbraCash transfers, suggesting the laundering operation remains active and ongoing.
DeFi Contagion Spreads Across Lending Protocols
The fallout from the KelpDAO hack extended far beyond the protocol itself. Because rsETH served as collateral across several major lending platforms, its sudden devaluation triggered a chain reaction across DeFi markets.
Aave froze rsETH-related markets on both its v3 and v4 platforms. Aave’s total value locked dropped from roughly $26.3 billion to $20.1 billion, a loss of approximately $6.2 billion in 48 hours. SparkLend, Fluid, Compound, and Euler also paused related activities, bringing the number of affected platforms to at least nine.
Lido separately disclosed approximately $21.6 million in rsETH exposure through its EarnETH product and indicated it may deploy a $3 million loss buffer in response.
What Happens to the Frozen Funds
The 30,766 ETH frozen by Arbitrum remains in a protocol-controlled address. Arbitrum governance has not yet announced how it will handle the funds or whether affected KelpDAO users will receive compensation.
KelpDAO confirmed it is still reviewing the incident. The team said it is working with LayerZero, Aave, and other stakeholders on recovery plans. The protocol has not yet confirmed a timeline for resuming operations.
Recovery Efforts and Next Steps
Whether investigators can freeze more stolen funds depends on how quickly other Layer 2 networks act. So far, only Arbitrum has exercised emergency freeze powers. Other chains hosting rsETH derivatives have not made similar announcements.
Security teams continue to monitor the two new wallet addresses flagged by PeckShield. Any further movement could reveal the attacker’s next destination and provide law enforcement with additional tracing leads.
The KelpDAO incident now stands as the most significant DeFi security event of 2026. With over $175 million still under attacker control, recovery efforts remain urgent and unresolved.
Also Read: Brazilian Police Bust $320M Crypto Laundering Network Involving Funk Stars and Influencers
FAQS
Q1: What happened in the KelpDAO exploit?
A: KelpDAO suffered a major security breach on April 18, 2026, where attackers stole around $292 million worth of assets, including 116,500 rsETH tokens, by compromising bridge verifier servers.
Q2: How much ETH did the attacker move after the Arbitrum freeze?
A: The exploiter moved approximately 75,700 ETH to two newly created wallet addresses shortly after Arbitrum froze a portion of the stolen funds.
Q3: How did Arbitrum respond to the exploit?
A: Arbitrum’s Security Council froze 30,766 ETH (around $71 million) by transferring it to a protocol-controlled wallet, preventing the attacker from moving those funds.
Q4: Which tools did the attacker use to launder the stolen funds?
A: The attacker used Tornado Cash, THORChain, and Umbra to obscure transaction trails and move funds across blockchains, making tracking more difficult.
Q5: What impact did the exploit have on the DeFi ecosystem?
A: The hack triggered widespread disruptions, with platforms like Aave, Compound, and Euler pausing rsETH-related activities, and billions wiped from total value locked across protocols.
Disclaimer:
This article is for informational purposes only and does not constitute financial, investment, or legal advice. Readers should conduct their own research and consult with a qualified professional before making any financial decisions. Cryptocurrency markets and DeFi protocols carry significant risk, including the potential loss of capital. The publisher, Crafmin, does not accept responsibility for any losses incurred based on the information provided.
Sources
https://techcrunch.com/2026/04/20/north-korea-hackers-blamed-for-290m-crypto-theft/
https://finance.yahoo.com/markets/crypto/articles/arbitrum-just-froze-100m-stolen-083215562.html
