- Arbitrum froze 30,766 ETH before it was blocked.
- The attacker transferred 75,701 ETH and began converting the funds into Bitcoin.
- More than $176 million is laundered through multiple parallel flows.
Arbitrum has frozen a significant portion of funds linked to the KelpDAO exploit, even as the attacker moves to push remaining assets out of reach.
Arbitrum’s security board confirmed that it had frozen 30,766 ETH, worth over $70 million at the time of the action.
The funds were linked to an address linked to the KelpDAO attacker and were secured before being taken out of the network.
The intervention came after coordination with law enforcement authorities, indicating that the authorities may already have leads on the identity of the exploiter.
The Arbitrum Security Board has taken emergency action to freeze 30,766 ETH held at the address on Arbitrum One linked to the KelpDAO exploit. The Security Council has acted on information from law enforcement regarding the identity of the exploiter, and at all times…
– Referee (@referee) April 21, 2026
Race against time
Blockchain investigators, including PeckShield, had done just that It has been marked That the attacker was actually trying to transfer funds from Arbitrum using a local bridge.
If this transfer is completed, ETH will likely join a much larger pool of stolen assets already in circulation across other chains.
By intervening when this happened, Arbitrum prevented approximately 29% of stolen funds from entering money laundering channels. However, the remaining assets were not so lucky.
The KelpDAO exploit is estimated to be worth approximately $290 million, making it one of the largest decentralized finance breaches of 2026.
The attacker moved quickly after the initial exploit, splitting funds across multiple wallets and chains in an attempt to reduce traceability.
Money laundering turns to Bitcoin
After the freeze, the attacker accelerated efforts to transfer the remaining funds.
The data indicates that approximately 75,701 ETH, worth about $175 million, were transferred to the Ethereum mainnet.
From there, the money started moving Bitcoin Through decentralized protocols such as THORChain, Chainflip, and Umbra Cash, which allow direct cross-chain swaps without relying on centralized exchanges.
#PeckShieldAlert the @KelpDAO The scalper began laundering the stolen money (about $176 million).
They started making small infusions of money #Ethereum to $ Bitcoin via @THORChain, @UmbraCash, @chainflipand @bittorrent. pic.twitter.com/4cm8dOjTWL
– Peak Shield Alert (@peakShieldAlert) April 21, 2026
PeckShield analysts noted that the attacker only left around 0.7 ETH in some wallets, just enough to cover transaction fees, while draining the rest into new paths.
This style reflects a high level of discipline and operational planning.
Another $176 million portion of the stolen funds was also actively moved in parallel transactions.
Instead of washing everything in one stream, the attacker appears to be running multiple streams simultaneously.
This tiered approach reduces the risk of a single failure and makes recovery efforts more difficult.
Is North Korea’s notorious Lazarus Group linked to the KelpDAO exploit?
The scale and coordination of the operation led investigators to link the exploit to North Korea’s Lazarus Group, specifically a subgroup known as TraderTraitor.
This attribution is based on transaction patterns and money laundering techniques that match previous operations associated with the group.
Lazarus has a long history of targeting cryptocurrency platforms and using complex cross-chain strategies to hide stolen funds.
The use of decentralized bridges and rapid transfer of assets seen in the case of KelpDAO fits this pattern closely.
