Attacker stops arbitrage 30K ETH with KelpDAO hack on the way to Bitcoin
Arbitrum stopped 30,766 ETH before the bridge. Attacker moved 75,701 ETH and started converting funds to Bitcoin. More than $176 million is being siphoned off in several parallel streams.
Arbitrum blocked the large amount of money associated with KelpDAO exploitation, even as the attacker moved to push the remaining assets beyond reach.
Arbitrum's Security Council has confirmed that it blocked 30,766 ETH worth more than $70 million during the operation.
The funds are tied to an address linked to the Kelpdao attacker and secured before they are removed from the network.
The interception came after coordination with law enforcement, suggesting authorities may already have a lead on the identity of the exploiter.
Arbitrum's Security Council has taken urgent action to freeze 30,766 ETH in Arbitrum's one address in connection with Kelpdao exploitation. The Security Council was informed by law enforcement agencies about the identity of the perpetrator, and at any time,…
— Arbitrum (@arbitrum) April 21, 2026
A race against time
Blockchain investigators, including PeckShield, have pointed out that the attacker is already trying to move the funds using Arbitrum's native bridge.
If that transfer were completed, ETH would probably have a much larger pool of stolen assets already circulating in other chains.
By intervening when it works, Arbitrum has prevented approximately 29% of stolen money from going down the drain. However, the rest of the properties were not so lucky.
The KelpDAO exploit itself is worth an estimated $290 million, making it one of the biggest decentralized finance breaches of 2026.
The attacker moved quickly after the initial exploit, splitting funds across multiple wallets and chains to reduce traceability.
Washing is converted into Bitcoin.
Following the freeze, the attacker accelerated efforts to move the remaining funds.
Data shows that approximately 75,701 ETH, worth about 175 million dollars, has been transferred to the Ethereum mainnet.
The funds then began moving into Bitcoin through decentralized protocols such as THORChain, Chainflip, and Umbra Cash, which allow for direct on-chain exchanges without relying on centralized exchanges.
#PeckShieldAlert @KelpDAO has started to liquidate looted funds (~$176M).
They've started linking microfinance from #Ethereum to $BTC via @THORChain, @UmbraCash, @chainflip and @BitTorrent. pic.twitter.com/4cm8dOjTWL
— PeckShieldAlert (@PeckShieldAlert) April 21, 2026
PeckShield analysts noticed that the attacker left only about 0.7 ETH in some wallets, which is enough to cover transaction fees, while taking the rest into new ways.
This pattern reflects a high level of operational discipline and planning.
Another $176 million portion of the stolen money was actively moved through parallel transactions.
Instead of flushing everything in one stream, the attacker appears to be running multiple streams at once.
This chaotic approach reduces the risk of a single point of failure and makes recovery efforts more difficult.
Is the notorious North Korean Lazarus group linked to the KelpDAO exploit?
The scale and coordination of the operation led investigators to link the exploit to the North Korean Lazar group, specifically a sub-group known as TraderTraitor.
This behavior is based on marketing patterns and laundry techniques that match the previous work associated with the group.
Lazarus has a long history of targeting crypto platforms and traversing complex chains to hide stolen funds.
The decentralized bridging and rapid asset switching seen in KelpDAO's case closely fits that pattern.
