Arkham Intelligence tracked 75,701 ETH moving into freshly created wallets on April 21 as the suspected Lazarus Group actors behind the $292 million Kelp DAO exploit began routing stolen funds through THORChain and Umbra.
Posted April 22, 2026 at 6:14 am EST.
The wallet addresses tied to the $292 million Kelp DAO bridge exploit began a laundering operation on April 21, moving approximately 75,701 ETH worth roughly $175 million across three transactions into freshly created addresses on the Ethereum mainnet, according to blockchain analytics firm Arkham Intelligence. The movements signal the start of a systematic exit strategy by the suspected North Korean Lazarus Group actors, who may have accelerated their timeline after Arbitrum’s Security Council froze $71 million in stolen ETH on Arbitrum One the night before.
Arkham said 50,700 ETH worth approximately $117 million moved to two newly created wallet addresses, while a separate 25,000 ETH worth roughly $58 million went to a third. Blockchain investigator ZachXBT reported in a Telegram post that some of the stolen funds had already begun crossing chains, flagging three THORChain transactions totaling roughly $1.5 million and a separate $78,000 routed through the privacy protocol Umbra.
This story is an excerpt from the Unchained Daily newsletter.
Subscribe here to get these updates in your email for free
Security firm PeckShield put the broader laundering figure higher, tracking approximately $176 million being dispersed across THORChain, Umbra, Chainflip, and BitTorrent. Less than 0.768 ETH for gas remained in the original exploiter address by Tuesday afternoon, indicating the wallet had largely been emptied.
THORChain does not require Know Your Customer checks and allows direct cross-chain swaps between Ethereum and Bitcoin without a centralized intermediary. During the $1.4 billion Bybit hack in 2025, Lazarus Group converted roughly 83% of stolen ETH into bitcoin, with 72% of those funds moving through THORChain.
Once stolen funds enter Bitcoin rails via decentralized protocols, recovery becomes materially harder: forensic traceability degrades with each hop, and no protocol-level freeze mechanism exists on THORChain equivalent to the governance action Arbitrum used on its own chain.
The laundering activity arrives as the broader fallout from the exploit continues to ripple through DeFi. Aave unfroze WETH reserves on its Ethereum Core V3 market on Tuesday, though reserves across Ethereum Prime, Arbitrum, Base, Mantle, and Linea remain frozen. Aave’s USDT borrow rates spiked from 3% to 14% as liquidity remained constrained, marking the highest rates since December 2024.
DeFi,defi exploit,Kelp DAO,Lazarus Group,Thorchain,yahoodefi exploit,Kelp DAO,Lazarus Group,Thorchain,yahoo#Kelp #DAO #Exploiter #Moves #Million #Stolen #ETH #Wallets #Routing #Funds #THORChain1776856910
