One of the largest crypto hacks this year has taken a new turn as the Kelp DAO hack investigation reveals the attacker is moving hundreds of millions of dollars across various blockchain networks. The incident—which stunned the crypto community last week—saw the Ethereum-based Kelp DAO protocol lose nearly $292 million due to sophisticated exploit tactics. In a fresh development, experts found that the stolen funds are being systematically transferred away from their original locations.
Tracking the stolen funds
According to findings from blockchain security firm PeckShield and analyst ZachXBT, the attacker has been using a combination of privacy-focused technologies in recent days in an effort to obscure the stolen crypto assets. Analysis shows that substantial amounts have moved from the ETH mainnet to Bitcoin using services like THORChain and Umbra, which are known for boosting user privacy.
PeckShield reported that a total of $176 million worth of assets have been sent to platforms including THORChain, Umbra, Chainflip, and BitTorrent. Ember CN, an on-chain analytics group, highlighted that after temporarily freezing assets on the Arbitrum network, the attacker began transferring about 75,700 ETH—valued at roughly $175 million—out of Ethereum.
It should be noted that these figures have not yet been independently confirmed by either Kelp DAO or LayerZero.
Technical details and responsibility debate
Kelp DAO had established itself as a significant player in decentralized finance (DeFi) through its rsETH bridge on Ethereum. The incident triggered intense debate over vulnerabilities in bridge design, message verification processes, and the associated LayerZero infrastructure supporting cross-network transactions.
Ari Redbord, policy lead at TRM Labs, explained that the attacker exploited the lzReceive mechanism of LayerZero by initiating transactions with what appeared to be fabricated messages, allowing them to drain roughly 116,500 rsETH from the protocol. This sum represents about 18% of all rsETH in circulation.
Redbord emphasized that this outflow quickly escalated into a major cross-chain security breach, ranking among the most significant DeFi leaks in recent years.
After the attack, LayerZero suggested that the notorious North Korean-linked Lazarus group may be involved, citing flaws in single-point message verification as a potential entry point for the exploit. Kelp DAO, in turn, pointed to weaknesses within LayerZero’s architecture as the core of the problem.
DeFi industry impact and evolving fund movements
A key response following the breach was the freezing of approximately $71 million in ETH on the Arbitrum network—marking one of the most decisive measures to date. Despite this, the attacker remained active, moving stolen funds in smaller segments to other networks using innovative methods.
In the aftermath, major DeFi platforms that interacted with rsETH—including Aave, SparkLend, Fluid, and Upshift—undertook urgent reviews to reduce risk and reassess their collateral frameworks. These moves have triggered widespread discussions about collateral quality, stable value maintenance, and complex cross-chain debt scenarios.
While the full scope of post-attack fund shifts is still unclear, recent transfers via privacy-oriented chains like THORChain and Umbra suggest that the attackers are laying complex escape routes. Experts warn these steps will seriously hinder efforts to track and recover the stolen assets.
Nonetheless, analysts have observed that the amounts in these new transfers remain relatively limited given the total damage, speculating that attackers may be experimenting with routes rather than settling the assets yet.
Ultimately, the events have reinforced the critical importance of the Arbitrum freeze as an initial containment measure. Yet as the trail grows more convoluted with every new transfer, pursuing the misappropriated assets is becoming an ever more complicated global challenge.
