Nexo Earn with Nexo
KelpDAO attacker converts nearly $175 million in ETH to BTC through THORChain

Photo: Fortune

KelpDAO attacker converts nearly $175 million in ETH to BTC through THORChain

Onchain analysts say the KelpDAO attacker converted 75,700 ETH into BTC through THORChain after using DeFi lending markets and wallet fragmentation to move funds.

Share

Add us on Google
by Estefano Gomez

The attacker behind the KelpDAO exploit has swapped nearly all 75,700 ETH, worth about $175 million, into Bitcoin within roughly a day and a half, according to onchain analysts Smart Ape and EmberCN.

The swaps were executed primarily through THORChain, in a burst of activity that generated about $800 million in trading volume and roughly $910,000 in fees for the protocol.

The conversion marks a late stage in a broader laundering pipeline that began after the April 18 exploit, which drained approximately 116,500 rsETH, valued at around $292 million. The attacker moved quickly to extract usable liquidity before the protocol could fully contain the damage, taking advantage of DeFi lending markets and cross chain infrastructure.

Before the exploit, the attacker set up multiple wallets funded through the mixer Tornado Cash, allowing them to operate without prior transaction history. They also tested cross chain routes across networks including Avalanche and Arbitrum, preparing the infrastructure needed for rapid execution.

The exploit itself relied on manipulating a cross chain message verification process tied to LayerZero. This allowed the attacker to trigger a release of 116,500 rsETH in a single transaction, representing about 18% of the token’s total supply. Attempts to repeat the exploit were blocked after the protocol was paused roughly 46 minutes later.

With rsETH effectively frozen and illiquid, the attacker turned to DeFi lending protocols including Aave and Compound. By depositing stolen rsETH as collateral, they borrowed approximately $190 million in ETH and staked ETH variants, converting compromised assets into liquid funds before markets could react.

This maneuver shifted potential losses onto lending platforms. As the market recognized the risk of bad debt tied to the collateral, Aave reportedly saw around $8 billion in total value locked exit within 48 hours, marking one of the largest stress events in DeFi lending to date.

The borrowed ETH was then consolidated into a central wallet structure and split across chains. About 75,700 ETH remained on Ethereum mainnet, while 30,766 ETH, worth roughly $71 million, was moved to Arbitrum. The Arbitrum Security Council intervened to freeze the latter portion, limiting the attacker’s access to part of the funds.

Following the freeze, the attacker accelerated the laundering process. Funds were distributed across more than 100 newly generated wallets in a fragmentation strategy designed to reduce traceability. Analysts note that such wallet expansion can be automated, allowing thousands of addresses to be created and funded in parallel.

The key transition came through THORChain, which enabled native ETH to BTC swaps without intermediaries. On April 22 alone, THORChain’s daily volume surged to hundreds of millions of dollars, far above its typical baseline, as the attacker routed funds through the protocol.

Converting ETH into Bitcoin serves two purposes. It moves funds across chains beyond certain enforcement mechanisms, and it shifts them into Bitcoin’s UTXO model, where balances are broken into smaller outputs that can be repeatedly split and recombined. This structure significantly increases the complexity of tracking flows in real time.

Additional privacy layers were used alongside THORChain, including stealth address systems like Umbra, alternative cross chain platforms such as Chainflip, and networks like BitTorrent Chain. Each step added further fragmentation and raised the cost of forensic analysis.

The final stages of the pipeline typically involve converting funds into stablecoins, particularly USDT on the TRON network, where transaction costs are low and liquidity is deep. From there, funds are often routed through over the counter brokers operating in jurisdictions with limited oversight, enabling conversion into fiat currency.

Smart Ape said similar laundering patterns have previously been linked by the United Nations Security Council to North Korean state affiliated groups, citing a 2024 UN report that estimated crypto theft accounts for roughly half of the country’s foreign currency income.

Disclosure: This article was edited by Estefano Gomez. For more information on how we create and review content, see our Editorial Policy.
DEFI

KelpDAO attacker converts nearly $175 million in ETH to BTC through THORChain

KelpDAO attacker converts nearly $175 million in ETH to BTC through THORChain

Onchain analysts say the KelpDAO attacker converted 75,700 ETH into BTC through THORChain after using DeFi lending markets and wallet fragmentation to move funds.

by Estefano Gomez

Share

Add us on Google

Photo: Fortune

The attacker behind the KelpDAO exploit has swapped nearly all 75,700 ETH, worth about $175 million, into Bitcoin within roughly a day and a half, according to onchain analysts Smart Ape and EmberCN.

The swaps were executed primarily through THORChain, in a burst of activity that generated about $800 million in trading volume and roughly $910,000 in fees for the protocol.

The conversion marks a late stage in a broader laundering pipeline that began after the April 18 exploit, which drained approximately 116,500 rsETH, valued at around $292 million. The attacker moved quickly to extract usable liquidity before the protocol could fully contain the damage, taking advantage of DeFi lending markets and cross chain infrastructure.

Before the exploit, the attacker set up multiple wallets funded through the mixer Tornado Cash, allowing them to operate without prior transaction history. They also tested cross chain routes across networks including Avalanche and Arbitrum, preparing the infrastructure needed for rapid execution.

The exploit itself relied on manipulating a cross chain message verification process tied to LayerZero. This allowed the attacker to trigger a release of 116,500 rsETH in a single transaction, representing about 18% of the token’s total supply. Attempts to repeat the exploit were blocked after the protocol was paused roughly 46 minutes later.

With rsETH effectively frozen and illiquid, the attacker turned to DeFi lending protocols including Aave and Compound. By depositing stolen rsETH as collateral, they borrowed approximately $190 million in ETH and staked ETH variants, converting compromised assets into liquid funds before markets could react.

This maneuver shifted potential losses onto lending platforms. As the market recognized the risk of bad debt tied to the collateral, Aave reportedly saw around $8 billion in total value locked exit within 48 hours, marking one of the largest stress events in DeFi lending to date.

The borrowed ETH was then consolidated into a central wallet structure and split across chains. About 75,700 ETH remained on Ethereum mainnet, while 30,766 ETH, worth roughly $71 million, was moved to Arbitrum. The Arbitrum Security Council intervened to freeze the latter portion, limiting the attacker’s access to part of the funds.

Following the freeze, the attacker accelerated the laundering process. Funds were distributed across more than 100 newly generated wallets in a fragmentation strategy designed to reduce traceability. Analysts note that such wallet expansion can be automated, allowing thousands of addresses to be created and funded in parallel.

The key transition came through THORChain, which enabled native ETH to BTC swaps without intermediaries. On April 22 alone, THORChain’s daily volume surged to hundreds of millions of dollars, far above its typical baseline, as the attacker routed funds through the protocol.

Converting ETH into Bitcoin serves two purposes. It moves funds across chains beyond certain enforcement mechanisms, and it shifts them into Bitcoin’s UTXO model, where balances are broken into smaller outputs that can be repeatedly split and recombined. This structure significantly increases the complexity of tracking flows in real time.

Additional privacy layers were used alongside THORChain, including stealth address systems like Umbra, alternative cross chain platforms such as Chainflip, and networks like BitTorrent Chain. Each step added further fragmentation and raised the cost of forensic analysis.

The final stages of the pipeline typically involve converting funds into stablecoins, particularly USDT on the TRON network, where transaction costs are low and liquidity is deep. From there, funds are often routed through over the counter brokers operating in jurisdictions with limited oversight, enabling conversion into fiat currency.

Smart Ape said similar laundering patterns have previously been linked by the United Nations Security Council to North Korean state affiliated groups, citing a 2024 UN report that estimated crypto theft accounts for roughly half of the country’s foreign currency income.

Disclosure: This article was edited by Estefano Gomez. For more information on how we create and review content, see our Editorial Policy.