Nikolas Sargeant
TL;DR
-
The Kelp DAO exploiter has laundered around $80 million since moving $175 million in ETH earlier.
The attacker behind the $292 million exploit of LayerZero-powered cross-chain bridge Kelp DAO has laundered roughly $80 million worth of Ethereum, according to blockchain analytics firm EmberCN, intensifying scrutiny on cross-chain liquidity routes and non-custodial swap protocols.
$292M Exploit and Onchain Movement
EmberCN reported that the attacker has moved about 34,500 ETH since shifting roughly $175 million off Ethereum earlier in the week.
KelpDAO 黑客从昨天下午开始把 ETH 进行洗钱转移,到现在应该是洗走了 3.45 万枚 ETH ($8000 万)。
— 余烬 (@EmberCN) April 22, 2026
这些 ETH 大部分通过 @THORChain 跨链兑换成了 BTC,THORChain 也因此收获了不少的 "过路费":
◎THORChain 过去 24 小时交易量暴增到 $3.6 亿,此前每日交易量平均只有 $2000 万。
◎THORChain 过去… https://t.co/YHNjV4jTGy pic.twitter.com/QRAAsYf6sb
The activity suggests a continued effort to obscure fund origins following one of the larger recent cross-chain bridge exploits.
According to the analysis, a significant portion of the stolen ETH—around 30,766 ETH—was frozen after intervention by the Arbitrum Security Council, prompting the exploiter to route remaining funds through alternative channels.
The report added that a substantial share of the stolen assets was reportedly converted into Bitcoin via the cross-chain swap protocol THORChain, a decentralized liquidity network known for enabling permissionless asset swaps across blockchains.
EmberCN noted that the protocol has benefited from unusually high activity linked to the laundering process, with the attacker using it as a bridge between Ethereum and Bitcoin liquidity.
The report noted that the surge in illicit and arbitrage-driven flows pushed THORChain’s 24-hour swap volume to around $394 million—far above its typical daily range of $10 million to $35 million. The protocol reportedly generated approximately $456,000 in fees over the same period.
This latest development comes after THORChain was previously been used by the North Korea-linked Lazarus Group, which has been associated with multiple high-profile crypto hacks, including the Bybit exchange breach. Investigators have also suggested Lazarus may be linked to the Kelp DAO exploit.
While critics argue that THORChain enables laundering by refusing to block suspicious flows, the protocol has consistently defended its design as fully decentralized and censorship-resistant.
In a statement, THORChain said it operates without an admin key or centralized control, emphasizing that its network is governed by node operators enforcing neutral code rules rather than discretionary intervention.
This latest development comes after Kelp DAO responded to the $292 million exploit, blaming LayerZero’s default 1-of-1 DVN setup, which was criticized for creating a single point of failure.
