- Arbitrum froze 30,766 ETH before release.
- Attacker moved 75,701 ETH and started sending money to Bitcoin.
- More than $176 million is being withdrawn through several similar channels.
Arbitrum has suspended a large portion of the funds associated with the use of KelpDAO, although the attacker is moving to push the remaining assets out of reach.
The Arbitrum Security Council confirmed that it had frozen 30,766 ETH, valued at $70 million at the time.
The coins were linked to an address linked to the KelpDAO attacker and secured before being released to the network.
The intervention came after an agreement with authorities, indicating that authorities may have leads on the identity of the abuser.
The Arbitrum Security Council has taken emergency action to freeze 30,766 ETH held on the Arbitrum One address associated with KelpDAO. The Security Council took action with the help of law enforcement officials to identify the perpetrator, and, as always,…
– Referee (@referee) April 21, 2026
A race against time
Blockchain researchers, including PeckShield, were involved known that the attacker was already trying to move the money to Arbitrum using a common bridge.
Once that transfer was complete, ETH would have joined the large pool of stolen coins that have been traded on other chains.
By intervening, Arbitrum prevented approximately 29% of the stolen funds from entering the laundry pipeline. However, the rest were not so lucky.
KelpDAO takes in about $290 million in revenue, making it one of the largest financial parties in 2026.
The attacker moved quickly after the first use, distributing funds across multiple wallets and chains in an attempt to slow down tracking.
Convert money to Bitcoin
Following the freeze, the attacker intensified his efforts to move the rest of the money.
The data shows that about 75,701 ETH, which is about $175 million, was transferred to the Ethereum mainnet.
From there, the money started flowing Bitcoin through stable systems such as THORChain, Chainflip, and Umbra Cash, which allow direct exchange without relying on an intermediary exchange.
#PeckShieldAlert The @KelpDAO the exploiter has started stealing stolen funds (~$176M).
They have started to connect small groups of money from #Ethereum to $BTC through @THORChain, @UmbraCash, @chainflipand @BitTorrent. pic.twitter.com/4cm8dOjTWL
– PeckShieldAlert (@PeckShieldAlert) April 21, 2026
PeckShield researchers observed that the attacker only left about 0.7 ETH in some wallets, just enough to pay the transaction fees, while draining the rest in new ways.
This example shows a high level of management and planning.
Another portion of the $176 million in stolen funds has also been transferred in similar transactions.
Instead of destroying everything in one go, the attacker appears to be running multiple streams at once.
This sequential approach reduces the risk of a single failure and makes recovery operations more difficult.
Is North Korea’s notorious Lazarus group affiliated with KelpDAO?
The scale and connectivity of this operation has led investigators to link it to North Korea’s Lazarus group, specifically a sub-group called TraderTraitor.
This is based on practices and methods of elimination that are similar to what has been done in the past by the group.
Lazarus has a long history of targeting crypto platforms and using complex communications to hide stolen funds.
The use of bridges based on the rapid financial evolution seen in the case of KelpDAO is closely related to this process.
