KelpDAO Hackers Launder $290M Across Ethereum and Bitcoin

Published: 2026-04-21 09:21:01 |

On-chain sleuths say the KelpDAO hackers are beginning to launder proceeds from a $290 million DeFi exploit. Arkham data show the exploiter-controlled wallet made two large Ethereum transfers of $117 million and $58 million during European hours on Tuesday. ZachXBT reports part of the stolen funds has already moved across chains. About $1.5 million was bridged from Ethereum to Bitcoin via THORChain, and an additional $78,000 was routed through the privacy protocol Umbra. These cross-chain and privacy steps match the early “layering” phase used to obscure fund trails, a pattern previously associated with North Korean-linked Lazarus Group. The breach has also triggered broader DeFi stress. Arbitrum froze $71 million in ether tied to the hack, which could pressure the attackers to accelerate remaining transfers. Traders may watch for follow-on liquidations, increased exchange- and bridge-level monitoring, and potential contagion effects across other protocols exposed to similar bridge or liquidity dynamics. KelpDAO hackers’ next moves will likely hinge on whether frozen funds remain blocked and how quickly remaining assets can be dispersed beyond Ethereum and into liquidity venues on other chains.

Bearish

This news is bearish because KelpDAO hackers are actively moving and laundering stolen crypto, and that behavior typically sustains sell-pressure and liquidity stress in DeFi. The immediate market-relevant signals are the reported $290M-scale transfers on Ethereum/BTC rails and Arbitrum freezing $71M in ETH—both raise the probability of fast, disruptive flows (including follow-on liquidations) as attackers try to re-route funds and as protocols tighten risk controls. In similar past DeFi bridge/exploit events, once investigators confirm cross-chain movement and privacy-layer “layering,” markets often see temporary volatility spikes, wider credit/liquidity concerns, and risk-off positioning across DeFi tokens—especially those with bridge exposure or correlated yield/LP dependencies. Longer term, sustained monitoring and potential protocol upgrades may reduce recurrence risk, but the near-term trading impact usually remains negative until fund flows stabilize and contagion fears fade. Traders should watch for (1) continued cross-chain bridging activity from hacked funds, (2) additional freezes/blacklists by L2s and bridge providers, and (3) DeFi liquidation waves that can spill into broader market sentiment.