Kelp DAO Attacker Transfers $175M in Ether Following Exploit

Key Takeaways:

• The Kelp DAO exploiter has moved $175 million worth of Ether, part of a larger $290 million theft.
• Funds were shifted to new blockchain addresses, suggesting an attempt at laundering.
• Arbitrum’s response includes freezing 30,766 ETH linked to the breach.
• Aave’s ETH V3 market resumes activity, but borrowing costs surge dramatically.
• Non-custodial platforms like THORChain and Umbra complicate fund tracing.

WEEX Crypto News, 2026-04-21 15:41:14

Movement of Stolen Ether After Kelp DAO Exploit

The attacker responsible for siphoning approximately $290 million from Kelp DAO has initiated the movement of 75,700 Ether, valued at roughly $175 million, evidently to launder the ill-gotten gains. Held in wallets flagged by Arkham and transferred in several large transactions on a Tuesday, these funds are now under scrutiny. A massive 25,000-ETH shift to a new address and over 50,700 ETH moved elsewhere highlight the calculated efforts to shroud these operations in anonymity.

Critique of LayerZero’s Security Protocols

The breach was facilitated through weaknesses in Kelp DAO’s use of the LayerZero-powered rsETH bridge, attributed to the reliance on a mono-path 1/1 decentralized verifier network (DVN). LayerZero had flagged this setup as a potential vulnerability due to its single point of failure—a glaring hole now punctuated by the attack.

Widespread Implications in DeFi Arenas

In the immediate fallout, Arbitrum’s security council preempted further asset loss by freezing 30,766 ETH related to the exploit in an intermediary wallet accessible solely via its governance. This decisive action underscores the integrated defense mechanisms within DeFi networks, but also highlights the lingering risks. Simultaneously, Aave bore the brunt, facing potential bad debt scenarios ranging from $123.7 million to $230.1 million, based on its incident analysis.

Fund transfers via non-custodial venues like THORChain—bypassing obligatory Know Your Customer (KYC) checks—underscore the sophistications in laundering schemes. Drawing on the narrative of the 2025 Bybit hack, where 83% of stolen Ether converted into Bitcoin went mostly through THORChain, the precedent for such moves further complicates recovery efforts.

Re-emergence of Aave’s Ethereum V3 Market

Post-freeze, Aave reopened its Wrapped Ether (WETH) reserves on the Ethereum Core V3 market, encouraging activity. Nevertheless, the halting of services across Ethereum Prime and other platforms persists, amid liquidity fears. Insights from DeFiLlama reveal a stark $10 billion drop in total value locked (TVL), reflecting cautionary withdrawals amid safety concerns.

Charting Future Risks and Outcomes

The uptick in Aave’s USDt borrowing rates from 3% to a staggering 14%—the highest since late 2024—reflects market volatility and reactive risk management. Fund outflows and fluctuating borrowing costs depict a DeFi space grappling with the ramifications of security breaches and the ensuing ripple effects.

[Place Image: Chart showing Kelp DAO Ether transfers over time]

FAQ

What triggered the Kelp DAO exploit?

The Kelp DAO exploit was prompted by vulnerabilities in its use of LayerZero’s rsETH bridge, particularly a single-point failure within its 1/1 decentralized verifier network.

How are non-custodial protocols involved in fund transfers?

Non-custodial protocols like THORChain and Umbra facilitate anonymous transactions without KYC checks, enabling laundered fund flows that evade regular monitoring systems.

How has Arbitrum responded to the exploit?

In reaction, Arbitrum’s security council froze 30,766 ETH to curb further misuse of funds, highlighting the importance of governance in protecting DeFi ecosystems.

What impact has the exploit had on Aave’s market activities?

While Aave reopened its WETH market, ongoing liquidity fears from the exploit have caused significant withdrawals and increased borrowing costs for the USDt market.

Can these exploited funds be retrieved effectively?

Retrieval is complex, especially when laundered through platforms like THORChain. However, tracing efforts continue, leveraging crypto forensic and governance controls.

[Place Image: Screenshot of Aave borrowing rate spike]