The attacker behind the $292 million Kelp DAO breach has begun laundering stolen funds, converting roughly 34,500 ETH, worth around $80 million, into Bitcoin through the decentralized cross-chain protocol THORChain, according to onchain analytics firm EmberCN.
The laundering activity followed a broader fund movement on April 21, when data from Arkham Intelligence showed the exploiter shifting approximately 75,700 ETH, worth nearly $175 million, out of a primary Ethereum holding address across three large transactions.
THORChain sees volume surge more than tenfold
THORChain, a decentralized liquidity protocol that enables cross-chain token swaps without requiring identity checks, became the primary route for converting the stolen Ethereum into Bitcoin.
On-chain data showed the protocol processed approximately $360 million in volume over a 24-hour window during the laundering activity, more than ten times its prior daily average of around $20 million. Fee revenue on the platform also surged to roughly $420,000 during the same period, compared to a typical daily average of about $5,000.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
Beyond THORChain, blockchain security firm PeckShield reported that the exploiter had also begun routing a broader share of the stolen funds through Umbra, Chainflip, and BitTorrent. Blockchain security firm Cyvers, cited by Bloomberg, confirmed that around $175 million in assets had been redirected into two newly created wallets and was being routed through multiple platforms designed to obscure the trail.
Blockchain investigator ZachXBT flagged the movement in a Telegram update, identifying three early THORChain transactions totaling approximately $1.5 million and a separate $78,000 transfer through Umbra, a privacy-focused protocol.
How the $292 million exploit unfolded
The exploit of critical bug on Kelp DAO’s rsETH cross-chain bridge which happens to be on LayerZero was by a hacker on April 19, 2026. The protocol’s liquid restaking token (rsETH) could be transferred between different chains in this system.
The cross-chain message was generated by the attacker. The bridge validated the message incorrectly. This led to the uncollateralized mint of about 116,500 rsETH. The tokens were collateralized on major platforms like Aave and Compound to borrow actual ETH, which caused the bad debt systemic risk across the ecosystem.
With losses to the tune of nearly $292 million, this stands as the biggest DeFi exploit of 2026 so far, and beats the $285 million Drift Protocol hack on April 1.
Apparently, the attack caused a DeFi automaton pandemic that saw a $10 billion drop in total value locked of Aave. Within 24 hours of the attack, DeFi’s total value locked (TVL) fell by nearly $7.48 billion with at least nine protocols reporting rsETH exposure.
LayerZero and Kelp DAO trade blame over bridge configuration
After the hack, a dispute between LayerZero and Kelp DAO broke out after the hack. LayerZero explained that the hack occurred due to Kelp DAO utilizing a 1-of-1 Decentralized Verifier Network (DVN) setup that results in a single verifier validating all cross-chain messages.
LayerZero argued this created a single point of failure, and stated that it had previously warned against such a setup while recommending multi-verifier configurations for high-value deployments.
Kelp DAO rejected that framing. The protocol stated in a memo reviewed by CoinDesk that the compromised verifier was part of LayerZero’s own infrastructure, and that the setup it had been faulted for running was actually LayerZero’s documented onboarding default.
LayerZero also suggested that North Korea’s Lazarus Group may have been behind the attack. Both parties have committed to publishing a joint root-cause report no later than May 5, 2026.
A familiar playbook: THORChain and the Lazarus Group
The methods used resemble the previous large-scale hacks in the ecosystem as per records. As per Bybit CEO Ben Zhou, the $1.4 billion Bybit hack in 2025 saw criminals translating around 83% of stolen Ethereum into Bitcoin, with 72% of the funds routed via THORChain.
Bybit stated that around 77% of the stolen assets remained traceable at the time. Security analysts note that once assets begin crossing chains into Bitcoin rails or privacy tools, recovery becomes materially harder.
Ledger Chief Security Officer Charles Guillemet described the Kelp DAO attack on X as a case study in how a single misconfiguration can cascade through the entire DeFi stack. Taiwanese legislator and blockchain advocate Ko Ju-Chun also noted on X that 116,500 rsETH were drained within just 46 minutes before Kelp DAO was able to pause its contracts.
Recovery prospects dim as laundering accelerates
The freeze initiated by Arbitrum has emerged as one of the few successful containment strategies in the incident, effectively immobilizing approximately a quarter of the total amount stolen.
All the same, the fact that money continues to flow through non-custodial protocols like THORChain, which doesn’t force KYC, adds huge complications to the recovery. As blocked addresses receive the converted funds, these blockchain forensics firms have tracked them down. However, the growing issue of cross-chain pseudonymity is proving to be a greater concern.
The Kelp DAO exploit is yet another addition to the ever-growing list of infamous hacks of bridges, which also includes last year’s $625 million Ronin Bridge incident, $326 million Wormhole hack, and $190 million Nomad Bridge attack.
