The attacker behind the roughly $290 million Kelp DAO exploit began moving tens of thousands of Ether to newly created blockchain addresses on Tuesday, in what appears to be an effort to start laundering the stolen funds.
The wallet tagged by Arkham as linked to the Kelp DAO exploit moved about 75,700 Ether (ETH) worth roughly $175 million across three transactions on Tuesday, including a 25,000 ETH transfer to one newly created address and transfers of 50,700 ETH and 0.7 ETH to another.
Blockchain investigator ZachXBT wrote in a Tuesday Telegram post that addresses tied to the exploit had begun moving funds through THORChain and Umbra. He flagged three THORChain transactions totaling about $1.5 million and a separate $78,000 transfer through Umbra.
On Saturday, an attacker drained about 116,500 restaked Ether (rsETH), worth roughly $290 million to $293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge.
LayerZero said Kelp DAO’s 1/1 decentralized verifier network (DVN) setup created a single point of failure by relying on a single verifier path for cross-chain messages. LayerZero said it had previously advised against that configuration.
Fallout spreads across DeFi
The transfers came hours after Arbitrum said its 12-member security council had taken emergency action to freeze 30,766 ETH tied to the exploit and move the funds into an “intermediary frozen wallet” accessible only through Arbitrum governance.
The exploit also hit other DeFi protocols, including Aave, where the attacker used the stolen funds as collateral to borrow against the protocol. Early estimates put the hole at about $195 million, but Aave’s Monday incident report later outlined two potential outcomes: roughly $123.7 million in bad debt under one scenario and about $230.1 million under another.
The transfers suggest the attackers had begun moving funds through non-custodial protocols that can complicate tracing and recovery. THORChain does not require traditional Know Your Customer checks.
During the $1.4 billion Bybit hack in 2025, attackers converted about 83% of the stolen Ether into Bitcoin (BTC), with 72% of the funds moving through THORChain, according to Bybit CEO Ben Zhou. Zhou said at the time that 77% of the stolen funds were still traceable.
Related: ZachXBT asks MemeCore to explain valuation and token supply
Aave unfreezes Ethereum V3 market as borrow rates spike
On Tuesday, Aave said it had unfrozen Wrapped Ether (WETH) reserves on the Ethereum Core V3 market, enabling users to supply WETH to the V3 lending protocol once again. However, WETH reserves across Ethereum Prime, Arbitrum, Base, Mantle and Linea remain frozen.
Meanwhile, the thinning liquidity saw Aave’s borrowing rates for USDt (USDT) rise from 3% to 14%, marking the highest figures since December 2024, wrote Julio Moreno, the head of research at analytics platform CryptoQuant, in a Monday X post.
Fears over a potential contagion caused significant outflows from Aave, as its total value locked (TVL) fell by about $10 billion since the exploit to $16.4 billion as of Tuesday, DefiLlama data shows.
Magazine: 53 DeFi projects infiltrated, 50M NEO tokens could be ‘given back’: Asia Express
