The hackers behind the KelpDAO exploit have begun moving stolen assets into Bitcoin, utilizing the permissionless cross-chain protocol THORChain to convert funds and dramatically increase network activity. The breach, which occurred on April 19, 2026, saw the attacker drain approximately 116,500 rsETH from Kelp DAO's LayerZero-powered rsETH bridge adapter.
Onchain analysts, with subsequent corroboration from blockchain investigator ZachXBT, have determined that the wallet associated with the exploit is actively routing approximately $80 million worth of ETH through THORChain. ZachXBT identified early movements of roughly $1.5 million across three THORChain transactions and an additional $78,000 routed via Umbra, a privacy protocol built on Ethereum.
Arkham Intelligence tracked the exploiter moving 75,700 ETH, equivalent to roughly $175 million, across three discrete transactions on April 22, 2026, including a transfer of 25,000 ETH to one new address and 50,700 ETH to another. From those intermediate wallets, funds have been routed through THORChain's native asset swap infrastructure, which executes cross-chain conversions—primarily ETH to Bitcoin—without custodial intermediaries or KYC checkpoints.
One attacker wallet sent funds through THORChain, pushing daily transaction volume to about $211 million, nearly 10 times the 30-day average. The laundering activity drove THORChain's 24-hour swap volume to $394 million—approximately eleven times its typical daily volume of under $35 million—as of late April 2026.
Around 442 BTC ($33 million) is now spread across more than 400 different Bitcoin addresses, with some of the laundered coins mixed with funds tied to previous North Korea-linked hacks, highlighting ongoing challenges in tracing and recovering stolen crypto. Arbitrum separately froze 30,766 ETH linked to the exploiter, a portion of the broader stolen pool, which is documented in Arbitrum's published governance action.
