The hacker responsible for the KelpDAO exploit, which left losses close to $300 million, is moving and laundering the stolen funds across multiple blockchains, in an operation that remains active and was exposed on April 22, 2026 by the security firm PeckShield.
According to the tracking on-chain, the attacker uses a route that starts from Ethereum to Arbitrumwhere funds are converted into stablecoins such as USDT0, and then sent to the Tron network, using the LayerZero infrastructure. This type of movement, which combines bridges between networks and asset swaps, makes it possible to fragment the trace and facilitate the mobility of capital.
The use of stablecoins responds to the need to access greater liquidity and reduce exposure to volatility, while The transfer between different networks seeks to make monitoring and possible blockages difficult. In fact, part of the funds linked to the attack had already been previously tracked and even partially frozenwhich could be motivating the use of more complex routes.
The origin of the case dates back to April 18, when KelpDAO suffered an exploit that affected its LayerZero-based rsETH bridge. The vulnerability occurred due to an insecure system configuration, which allowed the attacker to release a significant amount of assets to addresses under their control.
The incident has led to a crossover of responsibilities between the parties involvedas reported by CriptoNoticias. While KelpDAO has pointed out flaws in the infrastructure used, LayerZero maintains that the problem lay in the configuration adopted by the protocol. Adding to these positions is Arbitrum, whose environment was also used in the funds route, pointing out responsibilities towards both parties.
Beyond the amount committed, the case once again highlights the risks associated with interoperability between networks. Cross-chain bridges have been, for years, one of the most vulnerable points within the DeFi ecosystemaccumulating some of the biggest exploits in the sector. Although the traceability on-chain allows the movements to be followed, the recovery of funds continues to be a challenge and everything seems to indicate that this type of incident will continue to be repeated.