
The KelpDAO hacker has converted nearly the entire $175 million ETH haul into Bitcoin in under 36 hours, accelerating a laundering operation that now ranks among the fastest large-scale crypto cash-outs of 2026. On-chain data shows 75,700 ETH moved through THORChain — a decentralized cross-chain liquidity protocol — between April 21 and April 23, with the attacker's activity generating roughly $800 million in platform volume and $910,000 in fee revenue for THORChain liquidity providers.
The funds originated from the April 18 KelpDAO rsETH exploit, in which attackers forged a cross-chain message on a single-verifier LayerZero route and drained 116,500 rsETH from the protocol's bridge inventory.
At current prices of roughly $2,398 per ETH and $94,100 per BTC per CoinGecko, the swap leaves the exploiter holding approximately 1,860 BTC — a position significantly harder to trace or claw back than the original Ethereum-based funds.
THORChain ETH to BTC swaps dominated the laundering flow
THORChain processed the vast majority of the KelpDAO hacker's outbound flow, per tracking from on-chain sleuth ZachXBT and analytics firm PeckShield. The protocol's native swap mechanism — which uses liquidity pools rather than custodial bridges — allowed the attacker to move from ETH to native BTC without passing through a centralized exchange or a mixer that could be sanctioned or frozen.
The $910,000 in fees generated in under two days underscores how DPRK-linked actors have operationally normalized THORChain as laundering rails. The same protocol processed a significant share of the $1.46 billion Bybit hack laundering flow earlier this cycle, according to Elliptic's post-incident analysis.
Lazarus Group crypto laundering pattern repeats after rsETH exploit
LayerZero Labs previously attributed the underlying rsETH exploit to TraderTraitor, a subunit of North Korea's Lazarus Group, via a compromised 1-of-1 DVN (Decentralized Verifier Network) configuration. The conversion speed observed over the past 36 hours is consistent with prior Lazarus Group crypto laundering operations documented by TRM Labs, which noted the group typically completes the ETH-to-BTC leg within 48 hours of a successful exploit.
Not all of the attacker's funds have moved. Arbitrum's Security Council still holds 30,766 ETH (roughly $74 million at current prices) frozen at a protocol-controlled address, per the council's on-chain governance actions. Recovery of those funds requires a further governance vote.
Meanwhile, the leveraged positions opened against stolen rsETH on Aave V3 remain unresolved. Aave Labs' published modeling puts potential protocol bad debt between $124 million and $230 million depending on how KelpDAO allocates the shortfall across rsETH holders. KelpDAO, LayerZero Labs, and Aave Labs are still coordinating on unpause and loss-socialization terms.









