The attack on the cross-chain Kelp DAO continues to unfold as hackers successfully laundered approximately $80 million worth of ETH, largely through the THORChain decentralized swap protocol, according to the latest on-chain analytics from EmberCN.
According to blockchain data published on social network X, the attacker laundered approximately 34,500 ETH after transferring around $175 million worth of ETH out of the Ethereum network earlier this week. This is the latest development in the $292 million hack targeting the Kelp DAO — one of the most serious security incidents in the DeFi ecosystem in recent times.
Previously, the Arbitrum Security Council intervened promptly by freezing 30,766 ETH related to the attack. This action is believed to have prompted the hackers to quickly move the remaining assets to avoid further freezing. This development reflects the familiar "race" between blockchain security groups and cybercriminals in the cryptocurrency field: whenever a portion of assets is blocked, hackers immediately seek to transfer the rest through decentralized protocols.
The majority of the stolen ETH was swapped for BTC via THORChain – a Non-Custodial cross-chain protocol that allows asset swaps between multiple blockchains without intermediaries. This event caused a surge in THORChain 's volume . Data from the protocol's dashboard shows that the swap volume in 24 hours reached approximately $394 million, generating over $456,000 in transaction fees – many times higher than the usual daily volume of around $10–35 million. This demonstrates that large-scale hacks not only cause losses for victims but also inadvertently generate enormous Capital for permissionless DeFi protocols.
This isn't the first time THORChain has been mentioned in large-scale crypto money laundering cases. Previously, the protocol was accused of being used by North Korean hacker groups to convert stolen ETH to BTC, including the hack of over $1.5 billion from the Bybit exchange. In the Kelp DAO case, LayerZero suggested that North Korea's Lazarus group was highly likely behind the attack, raising concerns about state-sponsored cybercrime organizations continuing to exploit DeFi as a tool for cross-border money laundering.
