Kelp DAO Exploit Fallout Deepens as Attacker Routes $175M in ETH via Privacy Rails

Key Takeaways:

• The attacker moved $175 million in stolen ETH to new wallets using privacy tools.
• The exploit involved siphoning 116,500 rsETH via Kelp DAO’s LayerZero bridge.
• LayerZero criticized for their single verifier network setup that was exploited.
• Aave faces a potential $123.7 million to $230.1 million loss from the breach.
• LayerZero suggests possible involvement of the Lazarus Group in the attack.

WEEX Crypto News, 2026-04-22 12:16:02

Kelp DAO’s Security Breach Unfolds

The Kelp DAO breach, which resulted in roughly $290 million being compromised, has taken a new turn as the perpetrator maneuvers $175 million in Ether across new wallet addresses. The activity shows early signs of efforts to obscure the Ether’s origins following the heist. Blockchain data from Arkham revealed transactions moving 75,700 Ether via three transfers, one notably moving 25,000 ETH to a newly generated wallet.

[Place Image: Transaction flow of ETH transfers]

Privacy Rails Employed in Fund Movement

ZachXBT, a prominent on-chain investigator, identified the use of privacy-centric networks like THORChain and Umbra in masking the stolen Ether. Specifically, THORChain transactions totaled about $1.5 million, while Umbra was used for a $78,000 transfer. These tools complicate tracing efforts by avoiding conventional Know Your Customer (KYC) checks and disperse funds across multiple protocols.

Exploit Linked to LayerZero’s Bridge Vulnerability

The security breach, targeting approximately 116,500 rsETH from Kelp DAO’s bridge on LayerZero, underscores issues with utilizing a 1-of-1 decentralized verifier network. LayerZero criticized Kelp DAO for this setup, highlighting a “single point of failure” risk, which they state they cautioned against previously. LayerZero’s recommended solution was a multi-verifier approach for handling significant valuations, which Kelp DAO did not adopt.

Impact on Decentralized Finance (DeFi) Ecosystem

Following the exploit, Arbitrum’s security council froze 30,766 ETH associated with the theft in a provisional locked wallet pending governance approval. The breach’s consequences extended to Aave, with the attacker using the pilfered assets as collateral. Initial assessments indicated a $195 million deficit, while Aave’s detailed incident report predicts a potential debt range from $123.7 million to $230.1 million.

Blame and Theories Over the Breach’s Origin

While LayerZero pointed to Kelp DAO’s infrastructure choices as the root cause, suggesting possible North Korean Lazarus Group involvement, Kelp DAO defended their approach. They claim the single-validator system was part of LayerZero’s foundational framework. Security analysts confirmed the bridge’s reliance on a simple DVN that allowed unauthorized command validation, facilitating the rsETH’s unlawful transfer.

[Place Image: Graphical depiction of the LayerZero bridge security flaw]

FAQ Section

What networks were used to move the stolen ETH?

The attacker utilized privacy-focused networks like THORChain and Umbra to obscure the transfers of the stolen ETH.

Why was the LayerZero’s verifier setup criticized?

LayerZero’s 1-of-1 verifier network was seen as a vulnerability, creating a single point of failure that was exploited in the breach.

How did the breach affect the DeFi platform Aave?

The stolen assets were used as collateral on Aave, potentially resulting in a financial shortfall of up to $230.1 million.

What measures are being taken to recover the stolen funds?

Arbitrum froze 30,766 ETH linked to the attack in a locked wallet controlled by governance decisions to prevent further unauthorized access.

Could the Lazarus Group be involved in this exploit?

LayerZero suggested the possibility of the Lazarus Group’s involvement; however, this remains speculative and has not been confirmed.

Overall, the Kelp DAO incident highlights pressing vulnerabilities and trust challenges in cross-chain bridges and the broader DeFi space.