- Trending
- Comments
- Latest
The attacker behind the Kelp DAO exploit has moved approximately 75,700 ETH across freshly created wallets, with blockchain investigator ZachXBT confirming early-stage laundering activity through THORChain and Umbra, as Aave’s potential bad debt exposure climbs to $230 million.
According to on-chain data, the entity responsible for the Kelp DAO exploit transferred roughly 75,700 ETH in a series of transactions on Tuesday. These included a 25,000 ETH transfer to a newly created wallet and additional movements of 50,700 ETH and a smaller 0.7 ETH amount into another fresh address. The scale and structure of these transfers point to a calculated attempt to obscure the origin of the stolen funds.
Blockchain investigator ZachXBT reported that wallets tied to the Kelp DAO exploit have already begun routing funds through privacy-focused and cross-chain protocols. In a Telegram update, he highlighted activity involving THORChain and Umbra, both known for enabling more obfuscated transaction flows.
ZachXBT noted that three THORChain transactions totaling approximately $1.5 million had already been executed, alongside a separate $78,000 transfer through Umbra. These early-stage movements indicate the attacker is testing liquidity routes and anonymization pathways—common tactics following major crypto exploits.
The Kelp DAO exploit itself occurred days earlier, when an attacker drained roughly 116,500 restaked Ether (rsETH), valued between $290 million and $293 million at the time. The breach targeted Kelp DAO’s bridge infrastructure, which relies on technology developed by LayerZero Labs.
LayerZero later disclosed that the exploit stemmed from a flawed decentralized verifier network (DVN) configuration. Specifically, Kelp DAO’s setup relied on a single verification pathway, effectively creating a single point of failure. “We had previously advised against this configuration,” LayerZero stated, underscoring the architectural vulnerability that enabled the Kelp DAO exploit.
The consequences of the Kelp DAO exploit have quickly spread across the broader DeFi ecosystem. In response to the incident, the Arbitrum Security Council took emergency action, freezing 30,766 ETH linked to the exploit. The funds were transferred into a controlled intermediary wallet, accessible only through governance procedures.
Despite these containment efforts, the attacker has already leveraged portions of the stolen assets within other protocols. Lending platform Aave confirmed that the exploiter used the compromised funds as collateral to borrow additional assets, amplifying systemic risk.
Initial damage estimates from Aave suggested a $195 million exposure. However, a subsequent incident report outlined two possible scenarios: one projecting $123.7 million in bad debt and another estimating losses as high as $230.1 million. The uncertainty highlights how deeply the Kelp DAO exploit has impacted interconnected DeFi markets.
The use of non-custodial platforms complicates recovery efforts. THORChain, for instance, does not enforce traditional Know Your Customer (KYC) requirements, making it harder for authorities and analysts to trace or freeze funds. This dynamic has become increasingly familiar in large-scale exploits.
During the 2025 Bybit hack 2025, attackers converted roughly 83% of stolen Ether into Bitcoin, with 72% of those funds routed through THORChain. Ben Zhou later revealed that while 77% of the funds remained traceable, the laundering process significantly delayed recovery efforts—a pattern now repeating in the Kelp DAO exploit.
The financial aftershocks of the Kelp DAO exploit are now visible in DeFi liquidity metrics. Aave recently announced it had re-enabled Wrapped Ether (WETH) reserves on its Ethereum Core V3 market, allowing users to resume supply activity. However, reserves across other networks—including Arbitrum, Base, Mantle, and Linea—remain frozen as a precaution.
Liquidity constraints have driven sharp increases in borrowing costs. According to Julio Moreno, rates for USDt (USDT) surged from 3% to 14%, marking their highest levels since December 2024. Moreno shared the update via X, pointing to tightening liquidity conditions triggered by the Kelp DAO exploit.
Investor confidence has also taken a hit. Data from DefiLlama shows Aave’s total value locked (TVL) has dropped by approximately $10 billion since the exploit, falling to $16.4 billion as of Tuesday. The outflows reflect growing fears of contagion as users pull funds from potentially exposed protocols.
Beyond immediate financial losses, the Kelp DAO exploit underscores persistent vulnerabilities in DeFi infrastructure—particularly in cross-chain bridges and verification mechanisms. The reliance on a single verifier path, despite prior warnings, highlights the gap between theoretical decentralization and practical implementation.
Security experts argue that robust multi-verifier systems and layered validation mechanisms are essential to prevent similar breaches. As attackers become more sophisticated, protocols must adapt by strengthening both technical architecture and governance frameworks.
For now, the Kelp DAO exploit remains an evolving situation. With large sums already in motion and laundering efforts underway, recovery prospects grow increasingly complex. The incident serves as a stark reminder that while DeFi continues to innovate, its security foundations must evolve just as rapidly.
Copyright © 2025 - The Bit Gazette.
