KelpDAO Hacker Reportedly Moves 75,701 ETH Into BTC via THORChain

The hacker behind the KelpDAO exploit has reportedly moved 75,701 ETH into BTC using THORChain and other cross-chain routes, marking one of the largest post-exploit fund conversions in recent DeFi history.

What the Report Says About the 75,701 ETH Move

The attacker reportedly converted nearly all of the stolen Ethereum into native Bitcoin rather than attempting to cash out through centralized exchanges. Cointelegraph reported that nearly all of the 75,700 ETH was laundered through THORChain, a decentralized cross-chain liquidity protocol that enables native asset swaps without intermediaries.

The Arbitrum Security Council issued an emergency action notice related to the incident. LayerZero, whose infrastructure was involved in the exploit chain, also published a statement on the KelpDAO incident outlining its role and response.

Why THORChain and Other Routes Matter in a Cross-Chain Fund Shift

THORChain allows users to swap assets across blockchains without wrapping tokens or relying on centralized bridges. For an attacker holding a large amount of ETH, this makes it possible to convert directly into native BTC without touching any custodial service that might freeze funds.

The reference to "other routes" alongside THORChain suggests the attacker split the funds across multiple pathways. Splitting large sums across several protocols and chains makes it significantly harder for investigators to follow the full trail in real time.

The choice to convert into BTC rather than stablecoins is notable. Bitcoin's UTXO model offers different privacy characteristics than Ethereum's account-based system, potentially making downstream tracing more difficult. This echoes broader patterns seen in DeFi exploit activity, where attackers increasingly favor bitcoin as a destination asset for stolen funds.

What This Reported Move Could Mean for DeFi Security and Fund Tracing

The scale of this reported movement highlights a growing challenge for on-chain investigators. Cross-chain swaps through permissionless protocols like THORChain do not require KYC or account creation, removing a key friction point that centralized exchanges provide.

Bitcoin exchange reserves have been a closely watched metric as large inflows can signal selling pressure or potentially illicit fund movements. Investigators tracking unusual deposit patterns will likely be monitoring major exchanges closely.

The incident arrives during a period of heightened attention to DeFi exploit recovery. While spot Bitcoin ETF inflows have surged in recent weeks drawing institutional capital into crypto, exploit-related fund flows move in the opposite direction, pulling assets out of traceable DeFi ecosystems.

Whether any portion of the converted BTC can be frozen or recovered remains unclear. No official statement from KelpDAO has confirmed the total loss figure or outlined a recovery plan. The use of decentralized, permissionless infrastructure for conversion makes traditional seizure methods far less effective than they would be with centralized exchange transfers.

Cases like this also raise questions about prediction market activity around exploit outcomes, similar to the scrutiny facing platforms like Polymarket over insider knowledge in event-driven markets.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.