21.04.2026 10:29

On April 18, a single actor siphoned roughly $292 million from KelpDAO’s liquid restaking platform, exploiting the LayerZero‑powered bridge that ties the protocol to the Arbitrum One network. The breach now stands as the most substantial DeFi theft recorded in 2026.

Within hours, the Arbitrum Security Council reacted swiftly, invoking an emergency freeze that seized 30,766 ETH—worth about $71.15 million—directly from the attacker’s holdings on Arbitrum One. This decisive move was carried out through a privileged system‑level transaction that sidestepped the compromised wallet’s safeguards, effectively pulling the assets back into the network’s custody. KelpDAO praised the council’s promptness and noted that it had been collaborating with the security body and other ecosystem actors for two days to navigate the intervention.

Despite the partial recovery—about 29 % of the ether accumulated across chains was retrieved—the hacker continued to liquidate the rest of the compromised balance. After the freeze, the perpetrator transferred the entire remaining 75,701 ETH (roughly $175 million) to the Ethereum mainnet and initiated an intricate laundering strategy.

Security analyst Peckshield mapped the fund‑laundering route. The attacker decomposed the stolen coins into bite‑sized batches and bridged them to Bitcoin through a trio of non‑custodial protocols: Thorchain, Umbra Cash, and Chainflip. These cross‑chain liquidity layers facilitate direct swaps between Ethereum and the Bitcoin network without the intervention of a central party. Peckshield’s investigation revealed that the original attacker address is now almost empty, retaining less than 0.768 ETH, presumably only enough to cover gas fees.

LayerZero has linked the on‑chain activity and operational signatures to the notorious Lazarus Group, specifically its “Trader Traitor” subunit, implicating a state‑backed threat actor from North Korea. The incident has compounded a series of DeFi losses that have exceeded $600 million over the preceding three weeks, coinciding with a 25 % decline in total value locked (TVL) across the sector.