The hacker behind one of the biggest DeFi heists of 2026 is on the move again.
On Wednesday, blockchain security firm PeckShield flagged fresh activity from the wallet tied to the KelpDAO exploit.
The attacker bridged ETH from Ethereum to Arbitrum using the Across Protocol, swapped the funds for USDT0 stablecoin, and then routed them onward to the Tron network via LayerZero’s cross-chain infrastructure.
The transfers come days after the initial April 18 attack, in which the perpetrator drained roughly 116,500 rsETH—valued at about $292 million—from KelpDAO’s LayerZero-powered bridge.
The exploit hinged on a vulnerability in the bridge’s verification setup, reportedly involving a single-verifier configuration that allowed a forged cross-chain message to trigger the release of unbacked tokens. That haul represented around 18% of rsETH’s circulating supply and quickly rippled through the broader ecosystem.
Movements on stolen funds
Attackers used the stolen rsETH as collateral on lending platforms including Aave, triggering freezes, liquidity crunches, and billions in withdrawals across DeFi protocols as panic spread.
Arbitrum’s Security Council later stepped in with an emergency freeze of approximately 30,766 ETH (worth roughly $70-71 million) linked to the exploiter, moving the assets to a governance-controlled wallet pending further action. Some reports have pointed to possible North Korean Lazarus Group involvement, though that attribution remains preliminary.
The latest movements tracked by PeckShield show the remaining funds being shuffled in a bid to obscure their trail. After landing on Arbitrum, the ETH was converted to USDT0—a version of Tether’s stablecoin that retains blacklist capabilities—before heading to Tron.
Observers quickly noted the timing, coming shortly after Tron founder Justin Sun posted about the network’s decentralization and had previously offered to negotiate with the hacker on behalf of affected parties.
On-chain watchers are now debating whether Tron’s ecosystem, known for high transaction volumes and stablecoin activity, could serve as a laundering waypoint or if authorities might still intervene. USDT0’s freezable nature adds another layer of risk for the attacker, as Tether maintains the ability to blacklist addresses tied to illicit activity.
The incident has reignited scrutiny over cross-chain bridges and the trade-offs between speed, interoperability, and security in DeFi.
KelpDAO paused its contracts shortly after the initial drain, but the damage was already done. Recovery efforts continue, with questions lingering over potential bad debt on platforms like Aave and the long-term trust in LayerZero-powered infrastructure.
Read: Your rsETH, wrsETH, and Frozen Aave Deposits: What Actually Happens Next
As of Wednesday afternoon, the exploiter’s wallets continue to show activity, with smaller batches moving through various routes in what appears to be an ongoing effort to cash out or further obscure the stolen assets.
PeckShield and other analytics firms say they are monitoring closely, but in crypto’s pseudonymous world, full recovery remains an uphill battle.
Also read: SlowMist Warns of MacSync Crypto Stealer Amid Security Risk in DeFi
