Kelp DAO Hacker Just Moved $175 Million In Ethereum And Started Laundering It – Here Is What We Know

This is a developing story. Figures may have changed since publication.

One of DeFi’s largest exploits in recent memory has taken a sharp new turn after the Kelp DAO hacker began moving around $175 million in Ethereum and appears to have started laundering the stolen funds. The attacker’s on‑chain reaction came almost immediately after Arbitrum’s Security Council froze roughly $71 million of the stolen ETH, underscoring how quickly the hacker is trying to obscure the trail.

How the Kelp DAO exploit unfolded

The incident began on April 19–20, 2026, when an unknown attacker exploited a vulnerability in Kelp DAO’s rsETH bridge, which runs on LayerZero. According to LayerZero’s preliminary analysis, the setup Kelp DAO used – a 1/1 decentralized verifier network (DVN) – created a single‑point‑of‑failure by relying on one verifier path, which let the attacker forge cross‑chain messages.

Via that bridge, the hacker drained approximately 116,500 rsETH, valued at roughly $292–293 million at the time, representing about 18% of the token’s circulating supply. Kelp DAO responded by pausing its core contracts, but by then most of the rsETH had already been moved.finance.

Lending market domino: $195M+ bad debt on Aave

The stolen rsETH was quickly deposited as collateral on Aave V3, where it was used to borrow around $195–196 million in wrapped ether (WETH). This turned Aave into a passive victim: the protocol did not create the vulnerability, yet it still carries substantial bad debt on its balance sheet.

In a follow‑up incident report published on April 20, Aave outlined two potential scenarios: ~$123.7 million in bad debt under a more optimistic recovery assumption, and roughly $230.1 million if the hacked funds prove irrecoverable. On‑chain tracking firms such as PeckShield and CoinDesk have described this as one of the most damaging DeFi incidents in 2026 so far, both in absolute terms and in its impact on market confidence.

The equivalent of approximately 116,500 rsETH at current prices.

Arbitrum freezes $71 million – but most funds are still moving

Arbitrum’s 12‑member Security Council stepped in late on April 20, announcing it had frozen 30,766 ETH (about $71 million at current prices) tied to the exploit. Those funds were moved into an “intermediary frozen wallet” that can only be unlocked through Arbitrum governance, with law‑enforcement involvement noted in the council’s statement.

Importantly, Arbitrum emphasized that the freeze affected only specific addresses linked to the stolen funds and did not alter the broader state of the network or harm other users. However, on‑chain data from Arkham Intelligence and other trackers show that the $71 million locked by Arbitrum represents less than 30% of the roughly $292–293 million total stolen, leaving the bulk of the funds still in motion.

Attacker moves 75,701 ETH – early laundering signaled

Hours after Arbitrum’s intervention, the hacker began reacting on‑chain. The wallet tagged by Arkham as linked to the Kelp DAO exploit moved approximately 75,701 ETH, valued at about $175 million, in three large transactions on Ethereum.

• 25,000 ETH to one newly created address;
• 50,700 ETH and 0.7 ETH to another new address.

These flows were directed to freshly created addresses, which on‑chain investigators treat as an early sign of “layering” – the phase where attackers fragment and redirect funds to make tracing harder. CoinMarketCap and ARKHAM note that the attacker is now actively “layering” the stolen ETH across multiple wallets and protocols rather than holding it in one spot.

On-chain data also shows the stolen crypto being routed through the privacy protocol Umbra. (Source: Arkham)

Cross‑chain moves via THORChain and Umbra

On‑chain sleuth ZachXBT reported on Telegram that funds tied to the exploit have begun moving through non‑custodial protocols that complicate tracing. 

• Around $1.5 million was bridged from Ethereum to Bitcoin via THORChain, a cross‑chain DEX that does not require Know‑Your‑Customer checks.
• An additional $78,000 flowed through Umbra, a privacy‑oriented protocol that obscures sender and recipient addresses.

These tools are often favored in early‑stage laundering because they allow attackers to change chains, mix liquidity, and obscure relationships between addresses without leaving a clear KYC trail. Analysts from CoinDesk and The Block note that similar patterns have appeared in past hacks allegedly linked to state‑sponsored groups, including those suspected of ties to the Lazarus Group, though there is no confirmed law‑enforcement attribution in this case.

Lazarus Group has also been linked with the other high-profile hack this month: Drift Protocol

RsETH and restaking layer under stress

The market cap of rsETH, Kelp DAO’s liquid restaking token, has come under heavy pressure since the exploit. Trading viewers show rsETH’s market cap has pulled back sharply from earlier peaks above $2 billion, now hovering closer to $1.3 billion after a rapid expansion‑and‑collapse pattern characteristic of forced unwinds rather than organic selling.

From a technical‑analysis standpoint, rsETH is now trading below key moving averages, with its 200‑day trend flattening and beginning to roll over, suggesting the earlier growth phase is stalled. Because rsETH is used as collateral across multiple DeFi protocols, its market cap effectively acts as a proxy for trust in Kelp DAO’s restaking layer; the current compression signals that confidence has weakened and volatility could persist.

Fallout across Aave and DeFi TVL

The Kelp DAO attack has triggered a meaningful risk‑off response across the broader DeFi ecosystem. Data from DeFiLlama indicate that Aave’s TVL dropped by about $10 billion following the incident, falling from roughly $26 billion to around $16.4 billion by April 22.

CryptoQuant’s head of research, Julio Moreno, pointed out that borrow rates for USDT (USDt) on Aave’s Ethereum V3 market spiked from about 3% to 14%, a level not seen since December 2024, as liquidity thinned and users rushed to deleverage. At the same time, Kelp DAO restaked a large share of rsETH across 20 different chains, spreading the knock‑on effects well beyond Arbitrum and Ethereum.

AAVE V3: USDT, USDC Borrow Event Amount ($) and Borrow Rate

Freeze vs. decentralization: the debate ignited

Arbitrum’s ability to freeze $71 million in ETH has reignited a core philosophical debate about blockchain immutability, decentralization, and crisis response. Supporters argue that the Security Council’s move was a responsible, targeted intervention that preserved value for users and gave law enforcement breathing room to act.

Critics, meanwhile, warn that any mechanism allowing a council or small group to override address states undermines the idea that “code is law” and could set a precedent for future interventions. As The Block and CoinDesk have highlighted, the Kelp DAO case sits squarely in the middle of that tension: it is one of the largest DeFi hacks in recent years, yet the response has been more centralized and forceful than the market was built to expect.

What investigators are watching now

On‑chain analysts from Arkham, ZachXBT, and firms such as PeckShield continue to track the $175 million in newly moved ETH and the cross‑chain flows through THORChain, Umbra, and other DeFi protocols. Multiple sources report that the attacker has created several new addresses, redistributing smaller chunks of ETH in an attempt to deepen the laundry trail rather than simply exiting the ecosystem.

For now, the key open questions remain:

• How much of the remaining $175 million can be effectively traced or recovered?
• Will law enforcement or exchange operators manage to freeze or seize additional assets on other chains?
• And whether the broader DeFi ecosystem will harden restaking and bridge architectures in response to the Kelp DAO exploit.

Those answers will shape both the financial fallout and the ideological debate about how much centralized control is acceptable in an ecosystem built on the promise of decentralization. 

The post Kelp DAO Hacker Just Moved $175 Million In Ethereum And Started Laundering It – Here Is What We Know appeared first on NFT Plazas.