Hacker Behind Kelp DAO Breach Transfers $175M Worth of Ether: Arkham Intelligence
Following the $290 million Kelp DAO security breach, the perpetrator has transferred $175 million in stolen Ether, seemingly initiating money laundering operations.
The perpetrator responsible for the approximately $290 million Kelp DAO security breach initiated the movement of tens of thousands of Ether tokens to freshly generated blockchain addresses on Tuesday, seemingly in an attempt to begin the laundering process of the illicitly obtained assets.
According to Arkham's identification, the wallet connected to the Kelp DAO security breach transferred approximately 75,700 Ether (ETH) valued at around $175 million through three separate transactions on Tuesday, which included a 25,000 ETH movement to one newly generated address alongside transfers of 50,700 ETH and 0.7 ETH to a different address.
In a Tuesday Telegram message, blockchain investigator ZachXBT reported that addresses associated with the security breach had started transferring assets via THORChain and Umbra. He identified three THORChain transactions amounting to approximately $1.5 million along with a distinct $78,000 transfer executed through Umbra.
Last Saturday, an attacker successfully drained approximately 116,500 restaked Ether (rsETH), valued at roughly $290 million to $293 million during that period, from Kelp DAO's LayerZero-enabled rsETH bridge infrastructure.
According to LayerZero, Kelp DAO's 1/1 decentralized verifier network (DVN) configuration established a single point of failure through its dependence on a singular verifier path for processing cross-chain messages. LayerZero stated it had previously recommended against implementing that particular configuration.
Repercussions Extend Throughout DeFi Ecosystem
These fund movements occurred just hours following Arbitrum's announcement that its 12-member security council had executed emergency measures to freeze 30,766 ETH connected to the security breach and relocate the assets into an "intermediary frozen wallet" that can only be accessed via Arbitrum governance procedures.
The security breach also impacted additional DeFi protocols, notably Aave, where the perpetrator utilized the stolen assets as collateral for borrowing against the protocol's reserves. Initial estimates suggested a deficit of approximately $195 million, though Aave's April 20 incident analysis subsequently detailed two possible outcomes: approximately $123.7 million in uncollateralized debt under one scenario and around $230.1 million under an alternative scenario.
The asset transfers indicate the attackers had initiated the process of moving funds through non-custodial protocols designed to complicate tracking and asset recovery efforts. THORChain does not mandate traditional Know Your Customer verification procedures.
Throughout the $1.4 billion Bybit security breach, attackers transformed approximately 83% of the stolen Ether into Bitcoin (BTC), with 72% of the assets flowing through THORChain, as reported by Bybit CEO Ben Zhou. Zhou stated during that incident that 77% of the stolen assets remained traceable, indicating the transaction flows were not completely untraceable.
Aave Reinstates Ethereum V3 Market Operations as Borrowing Rates Surge
On Tuesday, Aave announced it had lifted the freeze on Wrapped Ether (WETH) reserves within the Ethereum Core V3 market, permitting users to supply WETH to the V3 lending protocol infrastructure again. Nevertheless, WETH reserves throughout Ethereum Prime, Arbitrum, Base, Mantle and Linea continue to remain frozen.
In the meantime, the diminishing liquidity resulted in Aave's borrowing rates for USDt (USDT) climbing from 3% to 14%, representing the highest levels recorded since December 2024, according to Julio Moreno, who serves as head of research at analytics platform CryptoQuant, in a Monday X post.
Concerns regarding potential contagion effects triggered substantial outflows from Aave, with its total value locked (TVL) declining by approximately $10 billion following the security breach to $16.4 billion as of Tuesday, according to data from DeFiLlama.