Kelp DAO Hacker Moves $104 Million in Stolen ETH Through THORchain

A hacker tied to the Kelp DAO breach just pushed around $104 million worth of stolen Ether through THORchain. The move came fast.

Arbitrum’s security council froze $71 million before the attacker could touch it, but the rest slipped through. The original haul was 75,700 ETH—worth roughly $175 million when the breach happened. That’s a lot of money moving through decentralized rails, and it shows how quickly things can shift once an exploit goes live. The hacker didn’t waste time. They used THORchain, a decentralized exchange that lets people swap assets across different blockchains without a central authority watching every move. It’s designed for privacy and speed, which makes it pretty useful for legitimate traders. But it also works for people trying to hide stolen funds.

How the Laundering Worked

THORchain operates differently from centralized exchanges like Coinbase or Binance. No KYC checks. No identity verification. Just swaps. The hacker broke the stolen ETH into smaller chunks and moved them through the platform, probably converting some into other tokens along the way. That’s standard practice for laundering crypto—split it up, swap it around, make it harder to trace. The blockchain still records every transaction, but following the trail gets messy when funds bounce between protocols and token types.

The $104 million that got laundered is gone for now. Tracking it down will take serious blockchain forensics work, and even then, recovery isn’t guaranteed. Decentralized finance platforms don’t have a “reverse transaction” button. Once the funds move, they move. And THORchain’s structure makes it tough to freeze assets mid-swap because there’s no central entity controlling the platform. It’s all smart contracts and liquidity pools.

Arbitrum acted fast, though. Their security council locked down $71 million before the hacker could access it. That intervention probably saved Kelp DAO users from losing even more. But it also raises questions about how decentralized these platforms really are when a council can freeze funds. That’s a debate for another day. Right now, the focus is on what happens to the frozen ETH and whether investigators can claw back any of the laundered portion.

What Kelp DAO Lost

Kelp DAO got hit hard. The protocol deals with liquid staking derivatives, which means users deposit ETH and get tokens representing their staked assets. Those tokens can be used across DeFi platforms while the original ETH earns staking rewards. It’s a popular setup. But it also creates a big target. Smart contract exploits in this space can drain massive amounts of value in minutes.

The 75,700 ETH stolen from Kelp DAO represents one of the bigger hacks in recent months. Not the biggest—DeFi has seen worse—but big enough to hurt. Users who had funds in the protocol are probably sweating right now, waiting to see if they’ll get anything back. Some might recover partial losses if the frozen funds get redistributed. Others might be out of luck entirely, depending on how the platform handles reimbursements.

See also: Kelp DAO Hack Triggers Finger-Pointing Over $290 Million Crypto Loss

Kelp DAO hasn’t said much publicly since the exploit. No detailed post-mortem. No timeline for recovery. Just silence. THORchain also didn’t comment on the laundering activity, which isn’t surprising. Decentralized exchanges typically don’t monitor or restrict transactions unless they’re legally compelled to do so. And even then, enforcement is tricky when there’s no company headquarters to raid or CEO to subpoena.

The crypto community is watching closely. Exploits like these shake confidence in DeFi protocols, especially ones handling large amounts of user funds. Every hack prompts the same questions: Was the smart contract audited? Were there warnings? Could this have been prevented? Sometimes the answers are clear. Other times, it’s just bad luck—a zero-day vulnerability nobody spotted until it was too late.

Frozen Funds and What Comes Next

The $71 million frozen by Arbitrum sits in limbo. Arbitrum’s security council can lock assets on its Layer 2 network when there’s a clear security threat. That power is controversial. Some people see it as a necessary safeguard. Others think it undermines the whole point of decentralized finance. If a small group can freeze your funds, are they really your funds?

But in situations like this, most users probably appreciate the intervention. Better to have $71 million locked down than watch it all disappear through THORchain. The frozen ETH might eventually go back to affected users, assuming Kelp DAO and Arbitrum can work out a distribution plan. That process could take weeks or months. Legal questions, technical challenges, and community governance all play a role.

Recovering the $104 million that got laundered is a different story. Blockchain analytics firms can trace the funds to some extent, following the path through THORchain and beyond. But tracing doesn’t equal recovering. The hacker probably moved assets into privacy coins, mixed them through multiple protocols, or converted them into tokens that are harder to track. Each step makes recovery less likely.

More context: HackerOne Logs 85,000 Valid Bug Reports in 2025 as AI Tools Flood Platforms

Law enforcement agencies sometimes get involved in major crypto hacks, especially when the amounts are this large. But investigations take time, and cross-border complications make things messier. If the hacker is operating from a jurisdiction that doesn’t cooperate with U.S. or European authorities, good luck getting anything back. The decentralized nature of crypto is a feature until it becomes a problem.

DeFi platforms are learning hard lessons about security. Smart contract audits help, but they’re not foolproof. Bug bounty programs catch some vulnerabilities before attackers do. Multi-signature wallets and time-locked transactions add layers of protection. Still, exploits keep happening. The space moves fast, and security often struggles to keep up.

The Kelp DAO hack won’t be the last big exploit in DeFi. It probably won’t even be the last this year. But each incident pushes developers to build better safeguards and forces users to think harder about where they’re putting their money. Trust in DeFi comes down to code quality and response speed when things go wrong. Kelp DAO’s response will shape how users view the protocol going forward.