Key Takeaways
- The exploiter behind the $290M Kelp DAO hack has begun moving 75,700 ETH to fresh addresses in an attempt to obscure the funds.
- Attackers are utilizing non-custodial protocols like THORChain and Umbra to complicate tracing efforts by blockchain investigators.
- LayerZero identified a “single point of failure” in Kelp DAO’s security configuration as the root cause of the exploit.
The aftermath of the massive Kelp DAO exploit has entered a dangerous new phase as the attacker begins a high-stakes laundering operation. After draining approximately 116,500 restaked Ether (rsETH) from the protocol’s bridge, the hacker sat quiet for several days.
That silence broke on Tuesday when over $175 million worth of Ether began moving through the Ethereum network. Investigators are now tracking these funds as they are dispersed into a web of newly created wallets, making recovery increasingly difficult for the protocol’s developers and security partners.
Kelp DAO attacker moves $175M in Ether after exploit
Blockchain analytics firm Arkham tagged the movements as the exploiter transferred 75,700 ETH across three major transactions. To further hide their tracks, the attacker is reportedly leveraging “privacy-preserving” and non-custodial tools.
On-chain sleuth ZachXBT flagged several transactions through THORChain—a protocol known for not requiring Know Your Customer (KYC) checks—and Umbra.
This strategy mirrors the infamous 2025 Bybit hack, where attackers successfully laundered the majority of their loot through similar decentralized rails. LayerZero, the tech behind the bridge, noted that they had previously warned Kelp DAO that their “1/1 DVN” setup was a security risk that lacked a backup verifier.
Fallout spreads across DeFi
The impact of the Kelp exploit is being felt far beyond its own community. The decentralized lending giant Aave has been hit particularly hard. The attacker used the stolen rsETH as collateral to borrow massive amounts of other cryptocurrencies, leaving Aave with a potential bad debt hole estimated between $123 million and $230 million. $10 billion in outflows.
That’s the price of the latest wave of fear hitting Aave as depositors scramble for the exits. While unfreezing the Ethereum V3 WETH market offered a brief moment of relief, the numbers tell a different story: USDT borrowing rates have spiked to 14%. It’s a textbook liquidity squeeze, and the market is feeling the pressure.
Final Thoughts
The Kelp DAO exploit serves as a grim reminder of the risks inherent in complex DeFi “restaking” bridges. Until decentralized protocols move away from single-path verifiers, multi-million dollar laundering events will likely remain a persistent threat.
Frequently Asked Questions
Can the stolen Ether be recovered?
It is difficult, as the attacker is using non-custodial mixers; however, some funds have been frozen by the Arbitrum Security Council.
What is a “1/1 DVN” setup?
It is a configuration where only one verifier is needed to approve transactions, creating a single point of failure.
Is Aave still safe to use?
Aave has resumed some operations, but users should monitor “bad debt” reports and borrow rate fluctuations carefully.
