The attacker behind the roughly $293 million Kelp DAO exploit appears to have laundered nearly all of the unfrozen Ether, leaving recovery efforts largely focused on the portion frozen by Arbitrum’s security council.
The hacker moved close to 75,700 ETH—valued at around $175 million at the time—primarily using THORChain to swap the funds into Bitcoin, generating roughly $910,000 in fees for the protocol, according to blockchain analyst EmberCN.
The laundering process began Tuesday, with the attacker distributing the funds across newly created wallets before routing them through THORChain and the privacy protocol Umbra. Data from Arkham shows the attacker’s primary wallet had been largely emptied by Thursday.
Routing funds through THORChain makes them harder to trace, reducing the likelihood of recovery. Arkham noted that the transaction patterns suggest the attacker is “executing an exit strategy” rather than holding the stolen assets.
Meanwhile, Arbitrum’s security council froze 30,766 ETH linked to the exploit, transferring the funds to an intermediary wallet that now requires governance approval for access.
The laundering occurred just five days after the attacker drained approximately 116,500 restaked Ether (rsETH)—worth between $290 million and $293 million—from Kelp DAO’s LayerZero-powered rsETH bridge.
The exploit sent shockwaves across decentralized finance, including Aave, where the attacker used the stolen funds as collateral to borrow against the platform—creating roughly $195 million in bad debt, according to early estimates.
Aave is now coordinating with affected protocols to contain the fallout and limit contagion risks, according to founder and CEO Stani Kulechov. He said in a Wednesday post on X:
“Our priority is our users, and every decision we are making is aimed at an orderly return to normal market conditions and the best possible outcome for everyone involved.”
In a Thursday post on X, Kelp DAO said it is making progress toward a “suitable resolution,” adding that its efforts are focused on “safeguarding our users and strengthening the protocol.”
Earlier, on Monday, Aave’s risk provider outlined two possible outcomes for handling the fallout. One scenario estimates about $123.7 million in bad debt, while the other could result in roughly $230.1 million.
Under the first option, losses would be distributed across all rsETH holders on Ethereum mainnet and layer-2 networks. This approach would reduce bad debt on Aave but could lead to a potential 15% depeg of rsETH relative to Ether.
The second scenario would allocate the full loss to rsETH holders on Ethereum layer-2s, leaving Aave with approximately $230 million in bad debt.
