Wallets linked to the April 18 Kelp DAO exploit began moving roughly $175 million in stolen funds on April 21, according to on-chain analysts ZachXBT and Arkham Intelligence. The activity followed the Arbitrum Security Council's successful freeze of 30,766 ETH (approximately $71.5 million) the previous day, a measure that recovered about 25% of the total $292 million taken. The attacker, preliminarily attributed to North Korea's Lazarus Group, appears to be in the early stages of dispersing the remaining funds.

What Happened and How

At 17:35 UTC on April 18, an attacker drained 116,500 rsETH from Kelp DAO's cross-chain bridge, which uses LayerZero's messaging infrastructure to move the liquid restaking token across more than 20 blockchain networks. Kelp DAO operates under the KernelDAO umbrella, a protocol that held over $2 billion in total value locked before the hack, which helps explain why it was a high-value target. rsETH is Kelp DAO's liquid restaking token; it lets users earn Ethereum staking rewards while simultaneously using their position as collateral in DeFi lending markets. The 116,500 tokens stolen represent approximately 18% of rsETH's entire circulating supply of roughly 630,000 tokens.

The attack exploited a critical configuration weakness. Kelp's bridge relied on LayerZero's Decentralized Verifier Network (DVN), a system of nodes that authenticate cross-chain messages. Kelp had configured its bridge with a single verifier node rather than multiple independent ones. Attackers compromised two RPC nodes feeding data into that verifier, then launched a coordinated denial-of-service attack on the legitimate network infrastructure. The failover to attacker-controlled nodes allowed them to authorize fraudulent withdrawals. Malware on the compromised machines deleted itself after the exploit to remove evidence.

Kelp activated an emergency pause at 18:21 UTC, 46 minutes after the initial drain. The pause proved effective: two additional attacks targeting approximately $100 million more in rsETH were blocked at 18:26 and 18:28 UTC. Kelp's first public acknowledgment of the incident came at approximately 20:10 UTC, nearly three hours after the initial drain.

Six attacker wallets had been pre-funded through Tornado Cash roughly 10 hours before the drain, a preparation pattern analysts at Unchained Crypto associate with state-sponsored operations.

The Blame Dispute

LayerZero issued a public post-mortem placing responsibility squarely on Kelp's configuration choices. "KelpDAO chose to utilize a 1/1 DVN configuration," the protocol stated. "A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised." LayerZero also announced it will no longer sign messages for any project running a single-verifier setup.

Kelp DAO disputes this framing, arguing that LayerZero's default settings were the root cause. That dispute remains unresolved and may become the basis for legal or community governance proceedings.

Arbitrum's Freeze and What Followed

The Arbitrum Security Council, which holds emergency powers over the network, froze 30,766 ETH of the exploiter's Arbitrum-based holdings on April 20, completing the transfer to a governance-controlled intermediary wallet at 11:26 p.m. ET. The council said it acted "with input from law enforcement as to the exploiter's identity" and confirmed the funds are "no longer accessible to the address that originally held the funds." Any release of those assets requires a full Arbitrum DAO governance vote, a structural detail that has triggered significant community debate about the balance between decentralization and protocol-level security responses.

Council member Griff Green said the debate was extensive. "We did not make this decision lightly," he said, as reported by DL News. "There were countless hours of debate."

Within hours of the freeze being confirmed, on-chain tracking showed the exploiter moving $117 million and $58 million in separate Ethereum transactions during European trading hours on April 21. An additional $1.5 million was bridged from Ethereum to Bitcoin via Thorchain, and $78,000 was routed through Umbra, a privacy-focused protocol. Analysts described this as the early "layering" stage of money laundering, in which funds are dispersed across multiple venues to obscure their origin.

Broader DeFi Damage

The exploit's secondary impact spread rapidly across DeFi. The attacker deposited 89,567 rsETH into Aave, one of the largest decentralized lending protocols, and borrowed approximately $190 million against it. Aave's total value locked fell from roughly $15 billion to $8.4 billion in 48 hours, with approximately $5.4 billion in Aave withdrawals recorded during that period. Across the broader DeFi sector, total value locked fell by more than $13 billion in the same window, according to CoinDesk. Despite the turbulence, Aave Labs stated that rsETH on Ethereum mainnet remains fully backed; market freezes were enacted as a precaution rather than a response to actual insolvency.

At least nine protocols enacted emergency freezes on rsETH markets, including Aave, SparkLend, Fluid, Lido, Ethena, Morpho, Kamino, Compound, and Euler.

Aave faces estimated bad debt of between $177 million and $230 million, though its DAO treasury holds approximately $181 million as a buffer.

The hack also drew public commentary from Justin Sun, founder of Tron and operator of the HTX exchange. Sun posted a direct appeal to the hacker on social media, writing "Kelp DAO hacker, how much you want? Let's talk," and argued the stolen funds would ultimately prove unspendable. His commentary carried a notable conflict of interest: HTX held over $1.4 billion in USDT stablecoin reserves deposited on Aave at the time, giving Sun a direct financial stake in the platform's stability.

Total 2026 crypto hack losses now stand at $771 million. LayerZero attributed the Kelp attack, with preliminary confidence, to Lazarus Group's TraderTraitor subunit, the same unit linked to the $285 million Drift Protocol hack on April 1. If that attribution holds, the group has extracted more than $577 million from DeFi in 18 days across two structurally different attacks.

What This Means for Users Outside the US

For DeFi participants in South Asia and Africa, the practical consequences are immediate. Users with rsETH positions on Aave V3 or V4 found lending markets frozen without warning, blocking withdrawals and normal liquidation flows. The KERNEL governance token, issued by KernelDAO and widely held by South Asian retail investors, experienced direct price volatility in the aftermath. Korean exchanges Upbit and Bithumb issued KERNEL volatility warnings, underscoring that the protocol's retail footprint extends broadly across Asia. LayerZero's new mandatory multi-verifier policy will require developers building on its bridge standard to rewrite and reaudit contracts, a costly and time-sensitive process for teams in emerging markets with limited resources.

The Arbitrum Security Council's intervention has also renewed debate about Layer 2 centralization. A 12-member council acting on law enforcement guidance to freeze user-adjacent funds is a significant governance action, even when the intent is recovery. For users in Nigeria, Kenya, India, and elsewhere who adopt on-chain infrastructure specifically for its resistance to third-party interference, that precedent carries weight well beyond the immediate crisis.