It’s historically seen that after a major crypto exploit, hackers rapidly fragment the stolen funds across multiple fresh wallets, route them through decentralized cross-chain protocols, and often convert everything into Bitcoin or send funds to Tornado Cash to create an on-chain trail that’s far harder to freeze or trace, and this is what exactly happened in 2026’s latest exploit.
Within roughly 36 hours starting April 21, the hacker behind KelpDAO’s LayerZero-powered cross-chain bridge moved approximately 75,700 ETH—valued at around $175 million—into freshly created wallets.
The bulk of these funds were later routed through decentralized cross-chain swaps, primarily via THORChain, converting ETH directly into Bitcoin (BTC). Meanwhile, smaller portions passed through privacy tools like Umbra Cash.
On-chain analyst EmberCN confirmed the flows, noting that the hacker almost entirely swapped their ETH to BTC on THORChain, with this activity driving $800 million in trading volume to the protocol alongside $910K in platform fee revenue.
Rapid laundering via THORChain
THORChain is a permissionless liquidity protocol that facilitates the crypto conversions without custodians, KYC requirements, or single points of control.
The rsETH hacker executed cross-chain swaps that exchanged ETH for BTC, often in batches to manage slippage and liquidity. Some reports pegged portions of the swaps at around $80 million in direct ETH-to-BTC conversions, with the rest following similar paths.
The funds reached Bitcoin addresses after fragmentation and privacy hops, making further tracing more complex. THORChain’s design—relying on decentralized nodes and vault-based liquidity rather than centralized bridges—allowed the transactions to proceed without intervention, even as the protocol’s operators publicly stated neutrality on the source of funds.
The move highlights how cross-chain DEXes can serve as exit ramps for large illicit flows when other avenues close. Bitcoin received a notable influx, with analysts linking some of the buying pressure to the hacker’s activity, contributing to short-term price volatility above $78,000 in spots.
Why can Bitcoin not be frozen like Arbitrum?
In attempt to recover stolen assets, Arbitrum’s Security Council used its emergency powers to freeze the hacker’s funds by executing a forced transfer of 30,766 ETH (worth about $71 million) from the attacker’s address on Arbitrum One directly into a governance-controlled intermediary wallet that can only be accessed through further DAO approval.
Arbitrum’s freeze worked because it is a Layer-2 network with a multi-signature Security Council holding emergency powers. The council identified attacker-linked ETH on Arbitrum, executed a forced state transition to move the funds into an intermediary wallet, and locked them pending further governance approval.
This protocol-level control—built into the chain’s design for security incidents—allowed quick action with law enforcement input, without needing the owner’s signature.
But for Bitcoin, the mechanics operate differently. As a Layer-1 blockchain, its native BTC has no built-in administrative keys, security councils, or upgrade mechanisms that let any group unilaterally freeze balances.
Bitcoin transactions are validated solely by consensus among miners and full nodes based on cryptographic rules: valid signatures unlock funds, and once confirmed in blocks, they are effectively immutable absent a network-wide consensus change (a hard fork), which has never been used for freezing specific addresses in Bitcoin’s 17-year history.
There is no central authority or smart contract on Bitcoin’s base layer that can blacklist or immobilize BTC held in non-custodial wallets. Exchanges or custodians might freeze assets on their platforms under legal pressure, but once BTC sits in a self-custodied address controlled only by private keys, no entity can block its movement.
This “your keys, your coins” principle stems from Bitcoin’s minimalist design prioritizing censorship resistance over programmable interventions. Smart contracts on Ethereum or L2s can embed freeze functions; but Bitcoin has none at the protocol level for native BTC.
Stolen funds still not clean though
While the Bitcoin network itself cannot freeze or immobilize native BTC in non-custodial wallets due to its decentralized design and lack of administrative controls, centralized entities such as exchanges, payment processors, and regulated platforms can blacklist specific addresses.
They refuse deposits or withdrawals linked to flagged wallets—often using blockchain analytics tools that track tainted funds—making it difficult for hackers to convert illicit BTC into fiat or usable assets without triggering compliance alerts or seizures.
The contrast underscores a broader tension in crypto: programmable chains offer tools for rapid response to exploits but introduce points of centralization. Pure proof-of-work (PoW) networks like Bitcoin trade that flexibility for stronger guarantees against unilateral freezes.
For the KelpDAO hacker, routing to BTC via THORChain appears to have created a harder-to-interrupt endpoint—at least on the blockchain itself.
Also read: Aave Founder Highlights Recovery Plans After $292M Kelp DAO Exploit
