- The cybercriminal moved the stolen ETH from Ethereum to Arbitrum using Across Protocol.
- After being swapped for USDT0, the stolen money was sent to Tron via LayerZero.
- The exploit happened due to a compromised RPC infrastructure, hosted by LayerZero.
The hacker behind the nearly $300 million KelpDAO breach is now moving and laundering the money through a complicated cross-chain route.
Blockchain security firm PeckShield says the cybercriminal moved the stolen ETH from Ethereum to Arbitrum using Across Protocol, swapped it for stablecoins (USDT0), and then sent the money to Tron using LayerZero’s infrastructure.
The company also shared on-chain data showing the transactions, as analysts say this multi-step process is meant to break up the digital trail, making it much harder to recover the stolen funds.
The laundering activity follows the largest DeFi hack of 2026, which happened on April 18. About 116,500 rsETH (around $292 million) was stolen. The hack hit KelpDAO’s cross‑chain bridge, which uses LayerZero, and the attacker faked messages to send the funds to their wallets.
How the Hack Was Carried Out
Interestingly, the security researchers said that the breach did not come from a traditional smart contract bug.
Instead, the exploit happened due to a compromised RPC (Remote Procedure Call) infrastructure, hosted by LayerZero. A single‑validator (DVN) setup created one weak spot, which allowed coordinated DDoS attacks to force malicious validation.
This allowed the attacker to forge transactions that appeared legitimate to the system.
On April 20, Kelp shared a statement saying its top priority is protecting users and stopping the damage from spreading through DeFi. The platform stated it was working with ecosystem partners to assess the impact, line up support, and explore every possible fix.
Similarly, LayerZero also issued a statement, suspecting that the notorious DPRK’s Lazarus Group is behind the exploit, or more specifically, TraderTraitor.
DeFi as a Constant Target
The KelpDAO breach has already shaken the wider market. For example, DeFi’s total value locked (TLV) dropped by over $13 billion right after the incident. Additionally, big protocols like Aave froze markets or cut exposure, while lending platforms saw liquidity crunches and bad debt risks.
The hacker even used stolen assets as collateral to borrow additional funds, which made Aave lose $7 billion in TLV.
This is yet another instance of DeFi protocols being hit hard in 2026, since the amount lost due to hacks and exploits reached over $750 million.
Related: KelpDAO Attacker Moves 75,700 ETH Worth $175M in Three Transactions
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Be the first to comment