- Arbitrum froze 30,766 ETH before it could be bridged out.
- Attacker moved 75,701 ETH and began routing funds to Bitcoin.
- Over $176 million is being laundered through multiple parallel flows.
Arbitrum has frozen a significant portion of funds linked to the KelpDAO exploit, even as the attacker moves to push the remaining assets beyond reach.
The Arbitrum Security Council confirmed it froze 30,766 ETH, valued at over $70 million at the time of action.
The funds were tied to an address associated with the KelpDAO attacker and were secured before they could be bridged out of the network.
The intervention came after coordination with law enforcement, suggesting authorities may already have leads on the exploiter’s identity.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
— Arbitrum (@arbitrum) April 21, 2026
A race against time
Blockchain investigators, including PeckShield, had flagged that the attacker was already attempting to move the funds off Arbitrum using a native bridge.
Had that transfer been completed, the ETH would likely have joined a much larger pool of stolen assets already in circulation across other chains.
By intervening when it did, Arbitrum prevented roughly 29% of the stolen funds from entering the laundering pipeline. However, the remaining assets were not as fortunate.
The KelpDAO exploit itself is estimated at around $290 million, making it one of the largest decentralized finance breaches of 2026.
The attacker moved quickly after the initial exploit, splitting funds across multiple wallets and chains in an effort to reduce traceability.
Laundering shifts to Bitcoin
Following the freeze, the attacker accelerated efforts to move the remaining funds.
Data shows that approximately 75,701 ETH, worth about $175 million, was transferred to Ethereum mainnet.
From there, the funds began moving into Bitcoin through decentralized protocols like THORChain, Chainflip, and Umbra Cash, which allow direct cross-chain swaps without relying on centralized exchanges.
#PeckShieldAlert The @KelpDAO exploiter has begun laundering stolen funds (~$176M).
They have started bridging small batches of funds from #Ethereum to $BTC via @THORChain, @UmbraCash, @chainflip, and @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShieldAlert (@PeckShieldAlert) April 21, 2026
PeckShield analysts observed that the attacker left only about 0.7 ETH in some wallets, just enough to cover transaction fees, while draining the rest into new routes.
This pattern reflects a high level of operational discipline and planning.
Another $176 million portion of the stolen funds has also been actively moved in parallel transactions.
Rather than laundering everything in a single flow, the attacker appears to be running multiple streams at once.
This staggered approach reduces the risk of a single point of failure and makes recovery efforts more difficult.
Is the infamous North Korea’s Lazarus Group linked to the KelpDAO exploit?
The scale and coordination of the operation have led investigators to link the exploit to North Korea’s Lazarus Group, specifically a subgroup known as TraderTraitor.
This attribution is based on transaction patterns and laundering techniques that match previous operations tied to the group.
Lazarus has a long history of targeting crypto platforms and using complex cross-chain strategies to obscure stolen funds.
The use of decentralized bridges and rapid asset conversion seen in the KelpDAO case fits that pattern closely.
