- Arbitrum froze 30,766 ETH earlier than it might be bridged out.
- Attacker moved 75,701 ETH and started routing funds to Bitcoin.
- Over $176 million is being laundered by means of a number of parallel flows.
Arbitrum has frozen a good portion of funds linked to the KelpDAO exploit, even because the attacker strikes to push the remaining property past attain.
The Arbitrum Safety Council confirmed it froze 30,766 ETH, valued at over $70 million on the time of motion.
The funds have been tied to an handle related to the KelpDAO attacker and have been secured earlier than they might be bridged out of the community.
The intervention got here after coordination with legislation enforcement, suggesting authorities might have already got leads on the exploiter’s id.
The Arbitrum Safety Council has taken emergency motion to freeze the 30,766 ETH being held within the handle on Arbitrum One that’s related to the KelpDAO exploit. The Safety Council acted with enter from legislation enforcement as to the exploiter’s id, and, always,…
— Arbitrum (@arbitrum) April 21, 2026
A race in opposition to time
Blockchain investigators, together with PeckShield, had flagged that the attacker was already trying to maneuver the funds off Arbitrum utilizing a local bridge.
Had that switch been accomplished, the ETH would possible have joined a a lot bigger pool of stolen property already in circulation throughout different chains.
By intervening when it did, Arbitrum prevented roughly 29% of the stolen funds from coming into the laundering pipeline. Nonetheless, the remaining property weren’t as lucky.
The KelpDAO exploit itself is estimated at round $290 million, making it one of many largest decentralized finance breaches of 2026.
The attacker moved rapidly after the preliminary exploit, splitting funds throughout a number of wallets and chains in an effort to cut back traceability.
Laundering shifts to Bitcoin
Following the freeze, the attacker accelerated efforts to maneuver the remaining funds.
Knowledge reveals that roughly 75,701 ETH, value about $175 million, was transferred to Ethereum mainnet.
From there, the funds started transferring into Bitcoin by means of decentralized protocols like THORChain, Chainflip, and Umbra Money, which permit direct cross-chain swaps with out counting on centralized exchanges.
#PeckShieldAlert The @KelpDAO exploiter has begun laundering stolen funds (~$176M).
They’ve began bridging small batches of funds from #Ethereum to $BTC through @THORChain, @UmbraCash, @chainflip, and @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShieldAlert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attacker left solely about 0.7 ETH in some wallets, simply sufficient to cowl transaction charges, whereas draining the remainder into new routes.
This sample displays a excessive stage of operational self-discipline and planning.
One other $176 million portion of the stolen funds has additionally been actively moved in parallel transactions.
Fairly than laundering all the things in a single move, the attacker seems to be operating a number of streams without delay.
This staggered strategy reduces the danger of a single level of failure and makes restoration efforts harder.
Is the notorious North Korea’s Lazarus Group linked to the KelpDAO exploit?
The size and coordination of the operation have led investigators to hyperlink the exploit to North Korea’s Lazarus Group, particularly a subgroup often known as TraderTraitor.
This attribution relies on transaction patterns and laundering strategies that match earlier operations tied to the group.
Lazarus has an extended historical past of focusing on crypto platforms and utilizing advanced cross-chain methods to obscure stolen funds.
Using decentralized bridges and speedy asset conversion seen within the KelpDAO case suits that sample intently.
