$71M Frozen, $175M Already Gone: How the Kelp DAO Hacker Is Laundering $292 Million in Stolen Ether

Arbitrum acted quickly. On Monday night, the Arbitrum Security Council froze more than 30,766 ETH (roughly $71 million) that was sitting in a wallet on Arbitrum One directly tied to KelpDAO's exploitation. The council said they acted with the input of law enforcement regarding what they believed to be the exploiter's identity and that this action did not impact or affect any other Arbitrum users or applications. DeFi environments rarely pull off this level of on-chain intervention in real-time, so this was a truly decisive action for Arbitrum.

The hacker acted even faster. Before the ink was dry on Arbitrum's announcement, blockchain intelligence firm Arkham tracked the suspect moving 75,701 ETH (approximately $175 million) out of Ethereum addresses and into newly created wallets. Two transfers were made, one for $117 million and the other for $58 million, during European trading hours on Tuesday. On-chain investigator ZachXBT confirmed to me that the illegally obtained funds have begun to be moved across chains. The money laundering phase has started.

While Arbitrum froze approximately 25% of the total amount stolen; the remaining 75% are still being actively moved.

How the Attack Unfolded

In case anyone missed it, on Saturday, April 18th, an attacker utilized Kelp DAO's LayerZero-based cross-chain bridge exploit to exploit a defect which allowed them to withdraw 116,500 rsETH (worth about $291 million at that time) – about 18% of the total amount of rsETH circulating at that time. By providing forged instructions to the bridge, the attacker caused it to release the rsETH to an address that they controlled. The attacker then deposited the stolen tokens into Aave, Compound, and Euler to use as collateral to borrow hundreds of millions of additional wrapped ether.

Kelp's bridge had reserves backing the rsETH in over 20 networks, so this incident caused immediate ripple effects. To date, at least nine protocols have been forced to freeze their markets or take other emergency measures. Aave alone saw $6.6 billion in TVL leave their platform within hours and the value of their token dropped by 16%. Now that Aave has released its incident report, it estimates their bad debt exposure to be between $123M and $230M, depending on how Kelp DAO assigns its shortfall among its Layer 2 positions.

As such, this DeFi hack has now surpassed the Drift hack from two weeks ago, making it the largest DeFi hack of 2026 to date.

The Blame Game Between Kelp and LayerZero

Kelp DAO and LayerZero are involved in a public dispute over who is responsible for the configuration mistake that led to the attack, while investigators continue to investigate how the money was lost. One cause was a single owner that acts as a sole verifier of whether each message sent across different chains is valid. If the one owner is compromised then the entire bridge is compromised.

LayerZero insists that we gave Kelp DAO the infrastructure to build with. Kelp DAO is insisting that their use of a single owner was based on LayerZero's standard configuration for the SV, meaning it wasn't a choice made by Kelp DAO. The outcome of who is liable is important for any future legal remedies but will not affect the financial losses suffered by those that lost money.

What both parties are now, effectively, admitting is there was a configuration that was catastrophically unable to withstand intrusion and was running in production on a bridge with hundreds of millions of dollars worth of cross-chain value (this is what ties both parties together). Someone should have caught this problem but no one did.

North Korea's Shadow

Security researchers and multiple publications have identified that the Kelp exploitation pattern, its scale, and speed of laundered funds closely represent modus operandi linked to North Korea's Lazarus Group. Together the Drift and Kelp exploits generated over $500 million of drained assets in just over 2 weeks. Analysts believe this financial drain is reflective of a sanctioned country needing funds, rather than opportunistic hackers who operated at that pace.

The Lazarus Group has been associated with some of history's largest cryptocurrency thefts, including the $625 million Ronin Network hack that happened in 2022. The group is known to use compromised verifier setups to exploit cross-chain infrastructure, as well as quickly/more efficiently move their stolen funds through various privacy tools and chain hops to hamper investigators' ability to track their stolen assets. The Kelp exploit aligns with these modus operandi. While the attribution to the Lazarus Group has not been confirmed, it is evident law enforcement has passed enough information on to the Arbitrum Security Council regarding the identity of the Kelp exploiter to grant the above freeze — implying investigators have progressed further than public statements reflect.

What Comes Next

No one will be able to access the $70 million in frozen Arbitrum funds without approval from Aave's Governance. This represents a significant amount of money that has been recovered and it's especially impressive how quickly things have happened across the board. However, $175M moved to new wallets, making recovery much more difficult than if it were only happening on one blockchain. The FBI and IRS-CI are likely working together regarding the investigation given how large the total value of the stolen funds is, but converting this investigation into actual assets will take months or years and not just days.

Regarding bad debt/loan recoveries for Aave, their initial question will be how to deal with this loss. It is possible that part of it can be covered by using the Umbrella Safety Reserve, but if not, any additional losses will have to come from stkAAVE holders, via the protocol's backstop mechanism. This would place significant pressure on Aave Governance for the first time to take action to protect stkAAVE holders from loss in an unprecedented manner.

At this time, it has only been about 72 hours since the Kelp exploit occurred. The investigation is ongoing; the laundering of stolen funds is happening; and the total amount of loss from the exploit has not yet been determined. It's clear that the perpetrator of the Kelp exploit had an elaborate scheme prepared before executing the hack to take advantage of these circumstances.