Kelp DAO hacker moves funds through THORChain, Umbra
After Arbitrum froze about $71M of linked ETH, wallets tied to the $292M Kelp DAO exploit routed roughly $1.5M through THORChain and $78K via Umbra.
Wallets tied to the roughly $292 million Kelp DAO exploit have begun routing stolen funds through THORChain and the privacy protocol Umbra after Arbitrum's Security Council froze about $71 million of linked ETH. Blockchain tracking shows roughly $1.5 million moved from Ethereum to Bitcoin via THORChain and about $78,000 was sent through Umbra.
Blockchain investigator ZachXBT reported the early transfers.
Security firm PeckShield and onchain analysts at Ember CN estimated larger flows, saying the exploiter has moved or begun moving roughly 75,700 ETH, about $175–176 million, through THORChain, Umbra, Chainflip and the BitTorrent Chain. Kelp DAO and LayerZero have not confirmed those totals.
The exploit was disclosed over the weekend when Kelp DAO's rsETH bridge was drained for about $292 million. Ari Redbord, global head of policy at TRM Labs, wrote: “The attacker drained about 116,500 rsETH, or roughly 18% of the circulating supply, after calling LayerZero's lzReceive flow with what appeared to be a forged message.” LayerZero later attributed the attack to North Korea-linked Lazarus Group and pointed to a single-point setup in the verification path. Kelp DAO disputed parts of that account and flagged issues with LayerZero's messaging architecture.
Onchain analysts say the exploiter began shifting significant sums off Ethereum soon after Arbitrum's freeze. Moving funds into Bitcoin rails or into protocols that obfuscate sender and recipient information reduces options for seizure and tracing.
The amounts routed through Umbra and similar channels so far are small compared with the total breach, but analysts noted the activity included tests of exit routes. Ember CN and PeckShield flagged transfers leaving Ethereum through several cross-chain and privacy services.
The breach prompted several lending platforms to pause or reassess rsETH exposure. Aave, SparkLend, Fluid and Upshift paused or reevaluated rsETH-related positions after the exploit. LayerZero, Kelp DAO, security firms, exchanges and onchain investigators continue to track transfers and work on recovery and attribution.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
