Image credit: Shutterstock
Funds stolen in the roughly $292 million Kelp DAO exploit are now moving through THORChain. Arkham Intelligence said the attacker moved more than 76,000 ETH, worth about $175 million at the time, into new wallets as the laundering process began.
The movement started after Arbitrum’s security council froze part of the stolen Ether, and the remaining funds soon began moving to new wallets.
The Exploit Has Turned Into a Laundering Race
Kelp DAO said the April 18 incident involved rsETH being drained through a forged cross-chain message. Arkham said the attacker unlocked about 116,500 rsETH, roughly 18% of the circulating supply, in the original exploit.
Arbitrum later froze 30,766 ETH linked to the attack, a stash valued at roughly $71 million to $75 million when the action was taken. That left the rest of the stolen assets still moving, and on-chain trackers say the attacker began spreading them out almost immediately after the freeze.
THORChain Became the Main Exit Route
The attacker’s route now runs through THORChain, along with smaller flows through the privacy protocol Umbra and other services. Arkham said the stolen crypto was being sent into cross-chain swaps to the Bitcoin network through THORChain, while ZachXBT flagged early THORChain transfers totaling about $1.5 million.
Later reports said most of the unfrozen ETH was routed through THORChain, causing a sharp spike in protocol activity. Reporting linked to the laundering said the protocol’s 24-hour swap volume jumped to about $394 million, far above its usual daily level of less than $35 million.
Recovery Gets Harder From Here
Once stolen funds are pushed from Ether into Bitcoin through a permissionless cross-chain system, recovery gets much harder. Unchained noted that THORChain has no freeze tool comparable to the governance action Arbitrum used on its own network.
That leaves the recovery effort centered on the frozen tranche, while the rest of the haul appears to be moving deeper into harder-to-trace rails. For Kelp DAO and the wider DeFi market, the story is no longer only about how the exploit happened. It is now about how much of the stolen money can still be stopped.
Categories:
Fhumulani Lukoto
Cryptocurrency Journalist
Fhumulani Lukoto holds a Bachelors Degree in Journalism enabling her to become the writer she is today. Her passion for cryptocurrency and bitcoin started in 2021 when she began producing content in the space. A naturally inquisitive person, she dove head first into all things crypto to gain the huge wealth of knowledge she has today. Based out of Gauteng, South Africa, Fhumulani is a core member of the content team at Coin Insider.