The hacker behind the KelpDAO exploit has converted approximately 75,700 Ethereum tokens, valued at around $175 million, into Bitcoin in a rapid cross-chain laundering sprint spanning roughly 36 hours. On-chain analyst EmberCN flagged the movement, noting the stolen funds have been “almost entirely” swapped into BTC as of April 23, 2026. The speed of the conversion marks a significant escalation in the attacker’s post-exploit activity.
The timing of the acceleration is directly tied to intervention by Arbitrum’s Security Council, which froze 30,766 ETH linked to the exploit earlier this week.
Faced with shrinking options on Arbitrum, the attacker pivoted quickly, routing the remaining accessible funds through cross-chain infrastructure to convert assets before further freezes could be enacted.
THORChain at the Center of the Cross-Chain Exit
THORChain served as the primary vehicle for the swap, processing the bulk of the ETH-to-BTC conversions without requiring identity verification or custodial approval. The protocol is explicitly designed to be permissionless and censorship-resistant, with no admin key and no centralized multisig controlling the network. According to THORChain’s own communications, the protocol operates across 95 globally distributed nodes with no single point of control.
EmberCN’s analysis confirmed that the KelpDAO hacker’s activity generated $800 million in trading volume for THORChain and contributed approximately $910,000 in platform fee revenue during the laundering window.
That figure underscores how decentralized infrastructure, while serving legitimate cross-chain users daily, also becomes an inadvertent revenue source during large-scale exploit laundering events.
The use of THORChain for post-hack fund movement is not new to the crypto space, but the scale of this particular operation drew immediate attention.
Converting $175 million in stolen ETH within 36 hours represents one of the fastest documented laundering sprints involving a single DeFi protocol exploit in recent memory.
Privacy Protocols Pulled and DeFi Deposits Crater
Before the bulk conversion moved through THORChain, EmberCN noted the attacker routed smaller sums through Umbra Cash, a privacy-focused stealth payment protocol designed to obscure on-chain transaction trails. According to the analyst’s follow-up post, several smaller ETH transfers were executed through Umbra in what appeared to be an early-stage obfuscation attempt before the larger cross-chain conversion began.
Umbra’s development team responded by pulling the hosted frontend offline entirely, placing the interface into maintenance mode. In a statement, the team said access to the hosted frontend would be restored only once doing so would not interfere with ongoing recovery efforts.
The move reflects a growing pattern in which privacy protocol teams face pressure to act unilaterally when their infrastructure intersects with major exploit activity, even if the underlying smart contracts themselves remain immutable and unstoppable.
The broader DeFi market absorbed visible collateral damage from the KelpDAO incident. EmberCN reported that Aave’s total deposit volume dropped from $45.8 billion to approximately $29.6 billion in the wake of the rsETH-related incident, representing a cumulative outflow of around $16.2 billion.
Aave’s deposit base, which serves as a key barometer of DeFi confidence and capital deployment, saw one of its sharpest short-term contractions in recent quarters.
That scale of outflow from a protocol as established as Aave signals how deeply interconnected restaked ETH derivatives have become with broader DeFi liquidity.
When a restaking-linked token comes under pressure through exploit activity, the ripple effect extends far beyond the original protocol, pulling deposits from blue-chip lending markets as users reassess collateral risk across the ecosystem.
Arbitrum’s Security Council freeze of 30,766 ETH demonstrates that Layer 2 governance bodies retain emergency powers capable of materially disrupting attacker operations, yet the KelpDAO case also illustrates the limits of those interventions.
When a hacker retains access to ETH on other chains or in non-custodial wallets, a single-chain freeze simply accelerates the laundering clock rather than stopping it.
The attacker’s ability to convert $175 million into Bitcoin in under two days while simultaneously using privacy protocols for smaller flows represents a textbook example of a sophisticated post-exploit exit strategy, one that on-chain analysts and security teams will be dissecting for weeks.
