Roughly $176 million linked to the Kelp DAO exploit is now in motion across chains. The shift marks a critical transition from containment efforts to potential laundering, complicating recovery prospects.
Blockchain investigators report early transfers include $1.5 million bridged from Ethereum to Bitcoin via THORChain and about $78,000 routed through Umbra. Arbitrum’s Security Council had previously frozen approximately $71 million in ether (ETH), limiting part of the attacker’s access.
Can Cross-Chain Laundering Evade Recovery Efforts?
Security firm PeckShield estimates that as much as $176 million has begun moving through protocols including THORChain, Umbra, Chainflip, and BitTorrent. Onchain analyst Ember CN separately identified transfers of around 75,700 ETH, or roughly $175 million, leaving Ethereum following the freeze.
#PeckShieldAlert The @KelpDAO exploiter has begun laundering stolen funds (~$176M).
— PeckShieldAlert (@PeckShieldAlert) April 21, 2026
They have started bridging small batches of funds from #Ethereum to $BTC via @THORChain, @UmbraCash, @chainflip, and @BitTorrent. pic.twitter.com/4cm8dOjTWL
The exploit, disclosed over the weekend, drained about $292 million from Kelp DAO’s rsETH bridge, making it one of April’s largest decentralized finance (DeFi) breaches. Ari Redbord, global head of policy at TRM Labs, said the attacker extracted approximately 116,500 rsETH, or 18% of supply, using what appeared to be a forged LayerZero message.
Attribution remains contested between Kelp DAO and LayerZero, though LayerZero has pointed to North Korea’s Lazarus Group as the likely actor. Still, the immediate market impact has centered on collateral risk, with protocols such as Aave, SparkLend, Fluid, and Upshift moving to limit exposure to rsETH.
The laundering activity introduces a new phase where traceability weakens as funds pass through cross-chain bridges and privacy tools. Yet, early transfers represent a small portion of the total haul, suggesting the attacker is testing exit routes rather than executing a full-scale offload.
Attention now shifts to whether additional freezes or coordinated tracking can intercept funds before they disperse further, with the next signals likely coming from cross-chain monitoring and protocol-level intervention.
