Funds Frozen Before Bridging Out
Arbitrum intervened decisively by freezing 30,766 ETH linked to the KelpDAO attacker, preventing these funds from being bridged out of the network. This action secured assets valued at over $70 million at the time, tied to an address associated with the exploit. The move came after coordination with law enforcement, hinting at possible leads on the perpetrator's identity.
Despite the freeze, the attacker managed to shift 75,701 ETH, approximately $175 million, to Ethereum mainnet and began converting it into Bitcoin. Over $176 million is now being laundered through multiple parallel flows using decentralized protocols.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
A Race Against Time
Blockchain investigators like PeckShield flagged the attacker's attempts to move funds off Arbitrum via its native bridge. Completion of that transfer would have merged the ETH into a larger pool of stolen assets circulating across chains. Arbitrum's timely intervention blocked about 29% of the pilfered funds from the laundering pipeline.
The KelpDAO exploit totals around $290 million, ranking among 2026's largest DeFi breaches. Post-exploit, the attacker split funds across wallets and chains to obscure traces, demonstrating calculated evasion tactics.
Laundering Accelerates Toward Bitcoin
After the freeze, the attacker ramped up transfers of the remaining funds. From Ethereum mainnet, assets flowed into Bitcoin via decentralized swaps on THORChain, Chainflip, Umbra Cash, and similar protocols, bypassing centralized exchanges.
PeckShield noted the attacker drained wallets to minimal balances for fees only, showcasing operational precision. Another $176 million slice moves in concurrent transactions, employing staggered streams to mitigate single-point risks and complicate recovery.
#PeckShieldAlert The @KelpDAO exploiter has begun laundering stolen funds (~$176M). They have started bridging small batches of funds from #Ethereum to $BTC via @THORChain, @UmbraCash, @chainflip, and @BitTorrent.
Links to North Korea's Lazarus Group
The operation's scale and sophistication point to North Korea's Lazarus Group, particularly the TraderTraitor subgroup. Matching transaction patterns and laundering methods align with their prior crypto attacks.
Lazarus routinely targets crypto platforms with intricate cross-chain obfuscation. The rapid decentralized bridge usage and asset swaps in KelpDAO mirror their established playbook, fueling suspicions of state-sponsored involvement.
