Kelp DAO Hacker Moves $175M in ETH, Begins Laundering via THORChain and Umbra

The hacker behind the $292–293 million Kelp DAO exploit on April 19–20, 2026, has moved 75,701 ETH (worth ~$175 million) in three large transactions to newly created addresses, signaling early-stage laundering. The attacker exploited a vulnerability in Kelp DAO's rsETH bridge on LayerZero, which used a 1/1 decentralized verifier network (DVN) creating a single point of failure, allowing forged cross-chain messages. Approximately 116,500 rsETH (18% of circulating supply) were drained and deposited as collateral on Aave V3, generating $195–196 million in bad debt. Arbitrum's Security Council froze 30,766 ETH (~$71 million) on April 20, but that represents less than 30% of the stolen funds. The hacker has routed ~$1.5 million to Bitcoin via THORChain and $78,000 through the privacy protocol Umbra, complicating tracing. On-chain sleuth ZachXBT reported the cross-chain moves. Aave's TVL dropped from ~$26 billion to ~$16.4 billion, and USDT borrow rates spiked to 14%. The incident has reignited debate about blockchain immutability versus centralized crisis response. Analysts from Arkham, PeckShield, and CoinDesk continue tracking the funds. No law enforcement attribution has been confirmed, though patterns resemble past hacks linked to state-sponsored groups like Lazarus Group.