Kelp DAO Exploiter Launders $80 Million in ETH Through THORChain
The hacker behind the massive $292 million Kelp DAO exploit has laundered approximately $80 million worth of Ethereum, according to on-chain analyst EmberCN.
Quick Summary
- Laundered amount: ~$80 Million (34,500 ETH)
- Primary laundering method: THORChain
- THORChain 24-hour swap volume: $394 Million (normal: under $35 Million)
- Fee earned by THORChain: ~$456,000
Details of the Laundering Activity
The Kelp DAO exploiter moved roughly $175 million in ETH off the Ethereum network on Tuesday. Since then, the attacker has successfully laundered around 34,500 ETH, worth about $80 million.
Blockchain analysis firm EmberCN reported that most of the stolen ETH was swapped into Bitcoin (BTC) using the cross-chain decentralized exchange THORChain.
Why the Exploiter Rushed to Launder Funds
According to EmberCN, the exploiter accelerated the laundering process after the Arbitrum Security Council froze 30,766 ETH of the stolen funds. This action forced the hacker to quickly move and convert the remaining assets.
THORChain Sees Massive Surge in Volume
THORChain experienced an unusual spike in activity following the laundering. The protocol recorded a $394 million swap volume in the past 24 hours — far above its typical daily volume of $10 million to $35 million.
As a result, THORChain earned approximately $456,000 in fees from these high-volume swaps.
THORChain’s Role and Previous Controversies
THORChain has been used before by North Korean hackers, including in the laundering of funds from the $1.5 billion Bybit exchange hack. LayerZero has linked the Kelp DAO exploit to North Korea’s Lazarus Group.
Despite heavy criticism for not blocking funds tied to sanctioned actors, THORChain maintains a strict permissionless policy.
In an official statement, THORChain explained:
“THORChain was modelled after Bitcoin — permissionless and censorship-resistant. There is no admin key, no multisig, and no single entity in control. The code is neutral, and the nodes enforce it.”
What This Means for DeFi Security
This incident highlights how cross-chain protocols like THORChain are increasingly being used by hackers to launder stolen crypto assets quickly and anonymously.
Users and projects are advised to remain vigilant as large-scale exploits continue to impact the crypto ecosystem.
