{"id":26493,"date":"2026-04-21T13:53:46","date_gmt":"2026-04-21T13:53:46","guid":{"rendered":"https:\/\/bitunikey.com\/news\/kelp-dao-exploit-fallout-deepens-as-attacker-routes-175m-in-eth-via-privacy-rails\/"},"modified":"2026-04-21T13:53:56","modified_gmt":"2026-04-21T13:53:56","slug":"kelp-dao-exploit-fallout-deepens-as-attacker-routes-175m-in-eth-via-privacy-rails","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/kelp-dao-exploit-fallout-deepens-as-attacker-routes-175m-in-eth-via-privacy-rails\/","title":{"rendered":"Kelp DAO exploit fallout deepens as attacker routes $175M in ETH via privacy rails"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">The entity behind the roughly $290 million Kelp DAO breach has started moving large volumes of Ether into fresh wallet addresses, in what appears to be the early stages of obfuscating the stolen funds after the exploit.<\/p>\n<div id=\"cn-block-summary-block_d5bcfff790d5abfdc7a23d9280c84097\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>The attacker behind the $290M Kelp DAO exploit has moved 75,700 ETH worth ~$175M across new wallets, with early transfers routed via THORChain and Umbra.<\/li>\n<li>Arbitrum froze 30,766 ETH tied to the breach, while Aave faces potential bad debt between $123.7M and $230.1M after the attacker used stolen funds as collateral.<\/li>\n<li>LayerZero blamed a single-verifier setup for the exploit, while Kelp DAO disputed the claim, saying the configuration followed default infrastructure guidelines.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/intel.arkm.com\/explorer\/entity\/cc627a5c-0409-4494-8753-2febb2f3ff0d\" target=\"_blank\" rel=\"nofollow\">Data<\/a> from Arkham shows the address tied to the incident transferred about 75,700 Ether, worth nearly $175 million, across three transactions on Tuesday. The movements included a 25,000 ETH transfer to a newly created wallet, along with additional transfers of 50,700 ETH and 0.7 ETH to another address.<\/p>\n<p>On-chain investigator ZachXBT noted in a Telegram <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/t.me\/investigations\/316\" target=\"_blank\" rel=\"nofollow\">update<\/a> that part of the stolen funds had already begun flowing through privacy-focused infrastructure, including THORChain and Umbra. He identified three THORChain transactions totaling about $1.5 million, alongside a separate $78,000 transfer routed via Umbra.<\/p>\n<p>The exploit itself took place on Saturday, when roughly 116,500 restaked Ether (rsETH), valued between $290 million and $293 million at the time, was siphoned from Kelp DAO\u2019s bridge built on LayerZero.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>LayerZero attributed the breach to Kelp DAO\u2019s use of a 1-of-1 decentralized verifier network, arguing that relying on a single verifier path created a \u201csingle point of failure\u201d for cross-chain message validation. The firm said it had previously warned against such a setup and recommended multi-verifier configurations for high-value deployments.<\/p>\n<h1 class=\"wp-block-heading\">Fallout spreads across DeFi<\/h1>\n<p>The latest transfers came shortly after Arbitrum confirmed that its 12-member security council had intervened to freeze 30,766 ETH linked to the exploit. The funds were moved into an \u201cintermediary frozen wallet\u201d that can only be accessed through governance decisions.<\/p>\n<p>Ripple effects from the breach extended to Aave, where the attacker reportedly used the stolen assets as collateral to borrow funds. Initial estimates suggested a $195 million shortfall, though Aave later outlined two possible scenarios in its incident report, ranging from about $123.7 million to $230.1 million in bad debt.<\/p>\n<p>The use of non-custodial platforms such as THORChain adds complexity to recovery efforts, as such protocols do not enforce traditional Know Your Customer checks, making fund tracking more difficult once assets begin moving across chains.<\/p>\n<h2 class=\"wp-block-heading\">Dispute emerges over root cause<\/h2>\n<p>While LayerZero has pointed to configuration choices as the core issue, it also suggested that North Korea\u2019s Lazarus Group could be behind the attack.<\/p>\n<p>Kelp DAO has rejected that framing, arguing that the so-called \u201csingle-validator\u201d setup was not an unsafe customization but part of LayerZero\u2019s documented defaults. The team said the compromised validator stack \u201cis part of LayerZero\u2019s own infrastructure,\u201d not a third-party component.<\/p>\n<p>Security researchers have since confirmed that the bridge relied on a 1-of-1 DVN structure, meaning a single signature was enough to validate cross-chain messages. Analysts noted that such a design allowed a forged instruction to pass as legitimate, ultimately enabling the release of 116,500 rsETH to the attacker\u2019s wallet.<\/p>\n<p>Kelp DAO maintains that it implemented LayerZero\u2019s publicly available code and configurations across networks, suggesting that responsibility may not rest solely with the application layer but also with the underlying infrastructure provider.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The entity behind the roughly $290 million Kelp DAO breach has started moving large volumes of Ether into fresh wallet addresses, in what appears to be the early stages of&hellip;<\/p>\n","protected":false},"author":1,"featured_media":2473,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-26493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/26493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=26493"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/26493\/revisions"}],"predecessor-version":[{"id":26494,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/26493\/revisions\/26494"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/2473"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=26493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=26493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=26493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}