Wallets tied to the approximate $292 million Kelp DAO exploit have begun what appears to be an attempt to launder the stolen funds after the Ethereum Layer 2 network Arbitrum froze some of the assets.
About $1.5 million was moved from Ethereum mainnet to Bitcoin through THORChain, and another roughly $78,000 routed through privacy protocol Umbra, according to blockchain investigator ZachXBT.
Notably, other onchain analysts suggested the laundering effort may already be much greater.
Blockchain security firm PeckShield said the exploiter had begun moving roughly $176 million of stolen funds through THORChain, Umbra, Chainflip, and BitTorrent. Onchain analysts Ember CN highlighted that the attacker had started shifting about 75,700 ETH, or roughly $175 million, off Ethereum after Arbitrum’s freeze, including smaller transfers routed through Umbra.
Those estimates have not been independently confirmed by Kelp DAO or LayerZero.
The update marks a new phase in one of the biggest DeFi exploits of the year.
Following emergency freezes and blame over bridge design, another question of how much of the stolen crypto can still be tracked, frozen, or recovered is now important.
Transfers to protocols like THORChain and Umbra arrive shortly after Arbitrum’s Security Council froze about $71 million worth of ETH linked to the attack, one of the few concrete containment wins so far in the broader Kelp DAO fallout.
The exploit itself was first disclosed over the weekend, when Kelp DAO’s rsETH bridge was hit for roughly $292 million in what quickly became the headline DeFi breach of April.
Ari Redbord, global head of policy at TRM Labs, said in a public post that the attacker drained about 116,500 rsETH, or roughly 18% of the circulating supply, after calling LayerZero’s lzReceive flow with what appeared to be a forged message.
From there, the incident widened fast.
LayerZero later said North Korea’s Lazarus Group was the likely culprit and argued the exploit was enabled by a single-point setup in the verification path, while Kelp DAO pushed blame back toward LayerZero’s messaging architecture.
The financial spillover has been just as important as the attribution fight.
In the days after the attack, DeFi protocols reeled from the knock-on risk around rsETH, with concerns surfacing over collateral quality, peg pressure, and possible bad-debt scenarios across lending markets. Redbord stated that Aave, SparkLend, Fluid, and Upshift all moved to pause or reassess rsETH-related exposure as users rushed to cut risk.
The ongoing issue makes the latest laundering activity more than a routine post-hack shuffle.
Once funds move out of the original onchain crime scene and begin crossing chains into Bitcoin rails or privacy-preserving tools, recovery tends to get materially harder.
Updates from ZachXBT and others suggest that the process is now underway.
Yet, it’s important to note that the amounts newly identified in transfers via Umbra and other channels are still small relative to the overall haul. But they matter because they show the attackers are already testing exit paths, and not just sitting on the proceeds.
This arguably puts renewed focus on the earlier response window. The Arbitrum freeze showed that part of the stolen ETH could still be immobilized. The new THORChain and Umbra transfers show other pieces are already slipping into more difficult territory.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
