KelpDAO reportedly lost over $292 million after attackers siphoned off assets from multiple Decentralized Finance (DeFi) protocols on both Ethereum and Arbitrum.
on-chain investigator ZachXBT discovered the incident, pointing out that six wallets controlled by the attacker were actively moving the stolen funds.
How the KelpDAO attack occurred
Blockchain data shows that the attackers' wallets received initial Capital throughTornado Cash — a coin mixing service that secures transactions — just hours before the theft began.
These wallets then interact with DeFi protocols, approving and Token Swap via KyberSwap and KelpDAO, and finally converting everything into ether (ETH).
“KelpDAO appears to have been robbed of over $280 million just an hour ago on Ethereum and Arbitrum. The hacked addresses were all Capital via Tornado Cash,” ZachXBT stated on Telegram.
In less than an hour, the attacker amassed approximately 75,700 ETH, worth roughly $178 million at current prices , into a single wallet .
The remaining stolen assets include other Token and positions on Arbitrum. At the time of writing, no withdrawals have been recorded from this synthetic wallet.
This model suggests that it is more likely the attacker obtained the private key rather than exploiting a smart contract vulnerability in a specific protocol.
The victim appears to have allocated significant Capital to DeFi across both blockchains , and the attacker systematically withdrew and swapped all positions back to native ETH .
The trend of attacking "whale" wallets is increasing.
This incident follows a rise in phishing scams and social media attacks targeting high-value wallets.
In January 2026 alone, one phishing victim lost $284 million, accounting for over 70% of the total cryptocurrency theft losses that month.
If the $292 million figure is confirmed, this would be one of the largest personal wallet thefts ever.
Security experts are expected to release more detailed on-chain data analysis in the next few hours.
KelpDAO has yet to publicly respond to this matter, and did not immediately respond when contacted by BeInCrypto.
Additionally, there are reports that the Instagram account of the meme coin launch platform Solana – Pump.fun – has been compromised.
“Absolutely do not trust any posts on Pump.fun’s official Instagram account. Ignore all posts until we regain control of the account,” the team warned .
However, Pump.fun's platforms are still operating normally and user assets remain secure.
