The attacker behind the April 18 Kelp DAO breach has laundered approximately $80 million in stolen ETH through cross-chain swap protocol THORChain, according to on-chain data published Tuesday by The Block. The laundering activity follows an emergency freeze by Arbitrum's Security Council that locked roughly $71 million in stolen funds on April 21, after which the exploiter moved quickly to disperse the remaining funds through alternative routes.

---

How the Exploit Unfolded

Kelp DAO operates as a liquid restaking protocol on Ethereum, allowing users to stake ETH and receive a tradeable token (rsETH) representing their position. On April 18, an attacker compromised two RPC nodes connected to Kelp's LayerZero-powered cross-chain bridge. RPC nodes are the software interfaces that let applications communicate with a blockchain network. By poisoning those nodes and launching a distributed denial-of-service attack, the attacker forced the bridge to fall back to compromised verifiers. This allowed a fraudulent cross-chain message to pass as legitimate, releasing 116,500 rsETH (roughly 18% of circulating supply, worth approximately $292 million) to an attacker-controlled wallet.

Kelp's emergency multisig paused core contracts within 46 minutes, preventing an estimated additional $200 million in losses. The exploiter, however, already held the funds.

LayerZero publicly attributed the attack to North Korea's Lazarus Group, specifically a subunit known as Trader Traitor, a state-sponsored cyber-espionage and theft unit. The company also pointed to Kelp's use of a "1-of-1 Decentralized Verifier Network (DVN)" configuration, meaning a single verifier was responsible for validating cross-chain messages with no independent backup. LayerZero called this setup "a dangerous single point of failure because no independent verifier existed to challenge suspicious activity." Kelp DAO pushed back, stating the configuration "is the default outlined in LayerZero's own documentation for new OFT deployments" and had been explicitly confirmed as appropriate during Layer 2 expansion reviews.

---

THORChain Volume Spikes More Than 11x

After Arbitrum's Security Council froze 30,766 ETH (approximately $71 million) on April 21, the exploiter moved the remaining funds quickly. On-chain analysts tracked three transactions totaling roughly 75,700 ETH (about $175 million) leaving the attacker's addresses. Of that, approximately $80 million was routed through THORChain, a decentralized protocol that enables swaps across blockchains without a central operator.

That activity drove THORChain's 24-hour swap volume to $394 million, compared to its typical daily range of under $35 million. The protocol's native token, RUNE, was trading at approximately $0.46 with a 24-hour trading volume of around $202 million as of Tuesday. Smaller amounts were also moved through Chainflip, BitTorrent, and Umbra, a privacy-focused transfer protocol that received approximately $78,000 of the stolen funds.

On-chain investigator ZachXBT, whose tracking was confirmed by Arkham Intelligence and PeckShield, noted in an early update on April 21 that "part of the stolen funds had already begun flowing through privacy-focused infrastructure, including THORChain and Umbra." The Block's subsequent analysis, published April 22, placed the cumulative THORChain total at approximately $80 million.

---

DeFi Contagion

The fallout extends well beyond the attacker and the protocol. Aave V3, a major DeFi lending platform, faces an estimated $123.7 million to $230.1 million in bad debt after the exploiter deposited stolen rsETH as collateral and borrowed large amounts of WETH and wstETH against it. Aave's total value locked dropped roughly $8 billion within 48 hours and its governance token fell approximately 20% in a single day. Across DeFi broadly, total value locked declined by around $13 billion in two days following the exploit.

---

Regional Exposure: South Asia and Africa

India, which leads the 2026 Global Crypto Adoption Index, has a significant base of retail users who interact with liquid restaking protocols and cross-chain bridges for ETH yield. Indian and Pakistani retail investors frequently use liquid restaking protocols like Kelp DAO for yield on ETH holdings, and the rsETH depeg and resulting liquidity crunch hit those users directly. India's Financial Intelligence Unit and SEBI have deepened oversight of offshore DeFi exposure in recent months, though no specific regulatory response to this incident has been issued.

In Africa, Nigeria's recently enacted Investments and Securities Act classifies digital assets as securities and includes an active AML/CFT/CPF Supervision Pilot for registered crypto businesses. Alongside that tightening, the Central Bank of Nigeria simultaneously relaxed bank-VASP restrictions, presenting a picture of stricter financial crime oversight proceeding in parallel with easier banking access for crypto firms. Kenya's VASP law, passed in October 2025, splits oversight between the Central Bank and the Capital Markets Authority but does not yet address decentralized protocols directly. South African exchanges, which already underwent security reviews following the Bybit hack, now face renewed scrutiny over integrations with LayerZero-based infrastructure. Approximately eight African nations now have crypto-specific regulations in place, with these frameworks concentrated on AML/KYC compliance at the exchange layer and not yet reaching decentralized protocols. Incidents like this one, where a permissionless protocol becomes the primary laundering channel, are precisely the kind of event that pushes emerging-market regulators to extend oversight beyond centralized exchanges.

---

THORChain Has Seen This Before

This is not THORChain's first appearance in a major laundering case. After the February 2025 Bybit hack, in which roughly $1.4 to $1.5 billion in ETH was stolen and attributed to the same Lazarus Group, approximately $1.2 billion was routed through THORChain within ten days. In January 2026, a separate $282 million hack saw stolen funds laundered through THORChain and converted to Monero, marking a third major incident in the protocol's pattern of use as a laundering channel. Node operators on the protocol reportedly earned between $5 million and $10 million in fees from the Bybit-related transactions alone. A March 2026 CertiK security report labeled THORChain "a frequent laundering route for major thefts," citing its permissionless and non-custodial design as the primary factor.

Taylor Monahan, a security researcher at MetaMask, put it pointedly in the wake of the Bybit hack, a remark that carries renewed relevance in the Kelp DAO case: "Kim Jong Un sends his deepest gratitude to Thorchain, Asgardex, and eXch."

THORChain community member John-Paul Thorbjornsen has argued the protocol's structure means operators cannot reasonably police individual users: "Node operators on Thorchain are not unlike node operators on other chains. They are not there to form an opinion on who should use the chain." Crypto legal consultant Yuriy Brisov offered a different read: "Thorchain's decentralised nature does not fully insulate it from the legal ramifications of facilitating illicit transactions."

---

What Comes Next

The laundering is ongoing and total figures will rise. The core technical questions, particularly around DVN configuration standards and who bears responsibility when default settings fail, remain unresolved between Kelp DAO and LayerZero. THORChain itself faces mounting legal exposure. Brisov's warning that decentralization does not insulate the protocol from liability points to a question regulators and enforcement agencies are beginning to press: whether repeated, large-scale laundering through a single permissionless venue creates grounds for action regardless of the protocol's non-custodial design. For developers building cross-chain products in high-adoption markets like India, Nigeria, and Kenya, the incident is a concrete reminder that a single-verifier bridge design is not an acceptable risk posture for high-value deployments.