Back

Kelp DAO Hacker Launders $175M in Stolen Ether via THORChain

Severity: High (Score: 72.2)

Sources: info.arkm.com, cointelegraph.com

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: kelp, million, exploit, worth, stolen, hacker, launders

Summary

The Kelp DAO hack, which resulted in the theft of approximately $293 million, has seen the hacker launder nearly all of the stolen 75,700 Ether (ETH) worth $175 million. The laundering process primarily utilized THORChain and the privacy protocol Umbra to obscure the transaction trail. Arbitrum's security council has successfully frozen around $71 million worth of the stolen funds. The attacker executed the exploit by unlocking 116,500 restaked Ether (rsETH) through a forged message on LayerZero. The incident has triggered significant concern across decentralized finance (DeFi) platforms, particularly Aave, which is now dealing with an estimated $195 million in bad debt linked to the exploit. Recovery efforts are ongoing, but the majority of the funds have been moved to new wallets, complicating tracing efforts. The attack has been linked to the Lazarus Group, a North Korean hacking organization known for high-profile cybercrimes. Key Points: • The Kelp DAO hack resulted in the theft of approximately $293 million, with $175 million laundered. • The hacker used THORChain and Umbra to obscure the movement of stolen funds. • Arbitrum's security council froze $71 million in stolen ETH, but most funds have been moved.

Detailed Analysis

**Impact** The Kelp DAO exploit resulted in the theft of approximately 116,500 restaked Ether (rsETH), valued at $290-$293 million, with $175 million in Ether laundered through THORChain and privacy protocol Umbra. Around $71 million worth of stolen ETH remains frozen by Arbitrum’s security council. The attack affected DeFi protocols including Aave, where $195 million in bad debt was created by the hacker using stolen funds as collateral. The incident impacts Ethereum mainnet and Layer 2 ecosystems, with potential losses distributed among rsETH holders. **Technical Details** The attacker exploited a forged message vulnerability on LayerZero to unlock 116,500 rsETH, representing roughly 18% of the circulating supply. Stolen funds were moved through newly created wallets, then laundered via cross-chain swaps on THORChain and routed through the Umbra privacy protocol to obfuscate transactions. Arbitrum’s security council froze 30,766 ETH linked to the exploit and isolated it in an intermediary wallet requiring governance action for access. The Lazarus Group is strongly suspected as the threat actor behind the attack. **Recommended Response** Defenders should monitor LayerZero and Layer 2 bridge activity for forged or anomalous messages and suspicious wallet creations. Arbitrum and other Layer 2 operators must maintain and enforce freeze capabilities on compromised funds. Deploy detections for cross-chain swaps involving THORChain and Umbra protocols to identify laundering attempts. Collaboration among DeFi protocols is advised to manage bad debt exposure and coordinate governance actions for fund recovery. No specific CVEs or malware indicators were provided.

Source articles (2)

  • Arkham Intelligence — info.arkm.com · 2026-06-01
    The suspected Lazarus Group hackers behind the $292 million Kelp DAO hack are on the move, transferring 76K ETH (worth $175M) on-chain to new addresses. The stolen funds have been sent to the followin…
  • Kelp Dao Hacker Launders Nearly All 75700 Eth Through Thorchain — cointelegraph.com · 2026-06-01
    The wallet linked to the Kelp DAO exploit appears to have laundered most of the $175 million worth of stolen Ether, while another $71 million remains frozen by Arbitrum’s security council. The exploit…

Timeline

  • 2026-05-30 — Kelp DAO hack executed: The attacker exploited Kelp DAO's LayerZero-powered rsETH bridge, stealing 116,500 rsETH valued at approximately $293 million.
  • 2026-05-30 — Funds laundered through THORChain: The hacker began laundering the stolen 75,700 ETH, worth $175 million, primarily using THORChain and Umbra.
  • 2026-05-30 — Arbitrum freezes stolen funds: Arbitrum's security council froze approximately $71 million in stolen ETH linked to the Kelp DAO exploit.
  • 2026-06-01 — Continued laundering efforts observed: The hacker has moved the majority of the stolen funds to new addresses, complicating recovery efforts.

Related entities

  • Lazarus (Apt Group)
  • Lazarus Group (Apt Group)
  • Data Breach (Attack Type)
  • Aave (Platform)
  • Bitcoin (Platform)
  • LayerZero (Platform)
  • THORChain (Platform)
  • Umbra (Platform)
  • Arbitrum (Company)
  • Kelp DAO (Company)
  • North Korea (Country)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed