The hacker behind the $292 million KelpDAO exploit has begun aggressively laundering stolen funds, with on-chain data showing approximately 34,500 ETH — worth around $80 million — swapped into Bitcoin via decentralized cross-chain protocol THORChain in the past 24 hours. The activity has caused an unprecedented volume spike on THORChain, inadvertently turning the protocol into one of the biggest short-term beneficiaries of the year’s largest DeFi hack.
According to on-chain data, THORChain processed roughly $360 million in trading volume over the past 24 hours, compared to an average daily volume of around $20 million before the laundering began. Platform fee revenue saw a similar surge, climbing from approximately $5,000 per day to $420,000 in the same window—an 84x increase, driven almost entirely by the hacker’s ETH-to-BTC swap activity.
Hacker Routes Funds to Bitcoin as Laundering Operation Expands
The $80 million THORChain swap is part of a broader laundering operation. Blockchain security firm PeckShield reported that the KelpDAO exploiter has begun moving approximately $176 million in stolen funds across multiple cross-chain and privacy protocols, including THORChain, Umbra Cash, Chainflip, and BitTorrent.
On-chain investigator ZachXBT also flagged the activity, noting that the attacker is bridging funds in small batches from Ethereum to Bitcoin, a pattern consistent with previous laundering operations attributed to North Korea’s Lazarus Group. He had initially identified three THORChain transactions totaling around $1.5 million, alongside a separate $78,000 transfer routed through privacy protocol Umbra, shortly before volumes on THORChain began climbing dramatically. LayerZero has formally linked the KelpDAO exploit to the same group, specifically its TraderTraitor subunit.
The movement accelerated after the Arbitrum Security Council froze 30,766 ETH (~$71 million) tied to the attacker earlier this week, leaving roughly 75,700 ETH on Ethereum mainnet that the hacker is now rushing to move before additional freezes can be applied. Arkham Intelligence has clustered the attacker’s wallets under a dedicated “KelpDAO Attacker” entity, making the laundering trail publicly observable in real time.
Why THORChain?
THORChain is a decentralized cross-chain liquidity protocol that enables direct swaps between native assets across different blockchains—most notably Ethereum to Bitcoin—without wrapped tokens or centralized intermediaries. Because the protocol has no KYC requirements and operates fully on-chain, it has become a preferred tool for converting stolen ETH into BTC, where tracing is significantly harder due to Bitcoin’s UTXO model and the lack of smart contract-level freezing mechanisms.
The protocol played a similar role in the aftermath of the February 2025 Bybit hack, where analysts estimated that approximately 72% of the stolen funds were laundered through THORChain. Its re-emergence as the primary laundering rail for the KelpDAO exploit underscores a recurring pattern: decentralized cross-chain infrastructure that functions exactly as designed can simultaneously serve as the most effective obfuscation layer available to state-sponsored attackers.
The Windfall and the Dilemma
For THORChain’s liquidity providers and node operators, the laundering surge has produced a short-term revenue windfall. Fee revenue in the past 24 hours alone exceeds two months of the protocol’s normal earnings.
However, the activity is likely to renew pressure on the protocol and the broader decentralized cross-chain sector. Regulators in multiple jurisdictions have increasingly scrutinized non-custodial swap protocols for their role in facilitating illicit fund movement, and incidents like this — where a protocol’s fee revenue spikes in direct correlation with a major hack — make it difficult for the sector to argue that decentralization alone absolves operators of compliance concerns.
THORChain has previously declined to implement address-level blocking, citing its decentralized architecture and the absence of any central operator with the authority to do so. As of press time, the protocol had not issued a public statement on the KelpDAO-linked activity.
Also Read: Arbitrum Freezes KelpDAO Hacker’s $71M But Sparks Debate on Centralization
