KelpDAO Attacker Converts $175M in Stolen ETH to Bitcoin Through THORChain

A major security vulnerability at KelpDAO resulted in the drainage of more than 116,500 restaked Ether (ETH) from its LayerZero-integrated bridge infrastructure. After the breach, the perpetrator transferred 75,700 ETH—valued at approximately $175 million—into newly created wallet addresses to obfuscate the funds. The transfer pattern reflected a deliberate effort to evade monitoring and forensic analysis across multiple blockchain ecosystems.

How the breach funds were moved

The exploiter primarily used THORChain’s infrastructure to convert Ethereum into Bitcoin. This approach added additional layers to the transaction path, reducing the ability to trace fund movements. The attacker also completed most conversions within a compressed timeframe.

THORChain processed approximately $800 million in trading activity tied to these illicit transactions. The decentralized exchange protocol also collected roughly $910,000 in transaction fees from the laundering activity. KelpDAO remained central to the conversion process as it neared completion.

Asset recovery prospects narrow

KelpDAO faces significant challenges because most stolen assets have already moved beyond conventional recovery mechanisms. However, Arbitrum’s security governance body froze 30,766 ETH connected to the security breach. This portion remains locked in an intermediary address that requires governance authorization before any further movement.

On-chain analysis indicated the attacker drained the primary wallet after routing funds through THORChain and Umbra protocols. These steps reduced visibility and complicated investigative tracing. As a result, recovery efforts now rely largely on the frozen portion of assets.

Security researchers also identified transaction behaviors consistent with a rapid exit rather than long-term holding. The exploiter avoided maintaining substantial balances in traceable wallet addresses. In response, KelpDAO has shifted toward damage containment rather than pursuing full asset retrieval.

Broader impact on the DeFi ecosystem

The KelpDAO incident has had wider repercussions across decentralized finance, particularly for Aave. The exploiter used stolen holdings as loan collateral to extract additional funds, creating substantial bad debt. Initial assessments estimated the uncollateralized debt at around $195 million across compromised lending positions.

Aave is coordinating with KelpDAO and other protocols to reduce system-wide consequences. Risk management teams outlined two potential resolution pathways that involve loss allocation among rsETH token holders:

• Option one: Reduce Aave’s liability, but potentially trigger a 15% depegging of rsETH relative to Ethereum.
• Option two: Allocate losses to layer-two network holders while leaving Aave with greater debt responsibility.

Each pathway carries different tradeoffs and affects protocol resilience through different mechanisms. KelpDAO is described as integral to the resolution discussions as parties evaluate the most suitable approach.

Response and containment efforts continue

KelpDAO continues developing a comprehensive response framework aimed at safeguarding users and restoring operational stability. The protocol is prioritizing enhanced security measures while addressing the exploitation aftermath. KelpDAO remains under intensive observation as recovery and damage control efforts progress.