KelpDAO hacker launders ETH via THORChain – Network says it is ‘neutral’
The attacker moved stolen funds after Arbitrum froze $71 million in ETH, raising concerns about the reliability of DeFi.
The illicit actor behind KelpDao’s $294 million exploit has reportedly laundered funds. As per Arkham’s data, the attacker had divided the stolen funds into three different wallets.
The wallets include 25K Ethereum [ETH] worth $57.6 million, 25.7K ETH worth $59.2 million, and 25K ETH worth $57.9 million, respectively.
In this, only the third wallet address containing 25K ETH started laundering and is now left with 3.8K ETH worth $8 million. For perspective, the laundered funds were bridged to Bitcoin [BTC] via THORChain [RUNE].
How did THORChain’s identity check fault help the hacker?
With about 99% of the funds flowing, the swap volume of THORChain had reached $540 million in the past 24 hours, resulting in earning fees of $660K at press time.
The reason behind choosing THORChain was that it enables users to swap assets across blockchains without KYC, making things simpler for the attacker.
However, THORChain stood in defense when it noted,
Decnetralization vs DeFI overighst
The suspect laundered the funds in a few hours after the Arbitrum Security Council froze 30,766 ETH worth $71 million connected to the biggest DeFi hack of 2026.
With this move, the aforementioned funds sitting in the governance-controlled wallet can now be attainable only through subsequent governance votes.
This way the governance action manipulated the attackers behavior and also led to cutting off the hackers access to funds. However, this step also promoted the debate over decentralization versus oversight in DeFi.
This is because DeFi stands for its promise of being immutable, where no one can control funds or reverse transactions.
Arbitrum’s involvement in the attack, though to protect funds from hackers hands, has raised concerns around the system being fully decentralized. Additionally, it has created fear that maybe in the future these funds could be used by the governments.
Therefore, besides highlighting how hackers are growing their web, the attack also shed light on the fact that DeFi is not fully permissionless.
Similar hacks in the past
The KelpDAO incident linked to the Lazarus Group’s TraderTraitor unit also has brought back instances from the past. The most recent being the Bybit attack of 2025, where the wrongdoers exploited $1.5 billion in crypto.
Then, in the Euler Finance exploit of 2023, attackers emptied nearly $197 million before reversing back funds after negotiations. Lastly, in 2022, $600 million worth of Ethereum & USDC tokens were stolen from the Ronin Bridge.
Then there was the 2020 KuCoin exchange security breach, resulting in $275 million to $285 million lost in various cryptocurrencies.
Seeing all these, on-chain investigator Specter said,
DPRK remains a major threat to the ecosystem. When actions like the Arbitrum Council’s intervention occur, they should be recognized for the difficult but necessary decisions they made.
Final Summary
- After the governance action by the Arbitrum Security Council, the exploiters moved ahead and bridged funds to Bitcoin via THORChain.
- The involvement of Arbitrum has raised concerns around DeFi being truly permissionless and immutable.
