A hacker behind the $292 million KelpDAO exploit has started converting stolen assets into Bitcoin using Thorchain and is further obscuring their trail with the privacy tool Umbra, according to blockchain analyst ZachXBT on April 21. On-chain data shows an additional $78,000 moved via Umbra, signaling an active laundering phase for the stolen funds.
Cross-chain swaps used to hide asset origin
Transaction records indicate the exploiter is using Thorchain’s cross-chain swap capabilities to move funds between blockchains without relying on centralized intermediaries. By swapping Ethereum-based assets directly into native Bitcoin, the attacker is effectively breaking a clear audit trail that would otherwise exist on a single network.
Thorchain’s design — enabling direct swaps between assets like ETH and BTC — makes it significantly harder to link the Bitcoin output back to the original stolen tokens on Ethereum, complicating tracking efforts for on-chain analysts and law enforcement.
Umbra adds a second layer of obfuscation
The exploiter is also routing a portion of the funds through Umbra, a privacy protocol that uses stealth addresses and fragmented transfers to anonymize recipients. Ethereum data shows about $78,000 has already been sent through Umbra.
By separating the flow into multiple, unlinkable addresses, Umbra prevents outside observers from connecting the receiving wallets to a known entity. When combined with Thorchain swaps, this two-step process makes identifying the final destination of the converted Bitcoin extremely difficult through public ledger analysis alone.
Part of a broader pattern in recent defi attacks
The laundering pattern mirrors tactics seen across recent decentralized finance exploits, where stolen assets are increasingly funneled through cross-chain and privacy-focused services. Large thefts and smaller targeted attacks alike often end with funds moving to networks and tools that offer greater anonymity.
Despite these efforts, analysts such as ZachXBT have repeatedly managed to map transaction paths using public blockchain data, providing detailed flow charts of how funds move across chains. These investigations have, in several cases, supported law enforcement inquiries and asset recovery attempts.
Regulatory pressure struggles to keep pace
Authorities in multiple jurisdictions are tightening oversight of digital assets through stricter anti-money-laundering rules and targeted enforcement actions. However, the rapid evolution of cross-chain infrastructure, privacy tools, and new protocols continues to stretch the capacity of regulators and police units.
The KelpDAO case highlights how transparency and privacy collide in decentralized finance: open ledgers allow independent monitoring, but privacy-enhancing tools can be repurposed for laundering and evasion.
Largest defi exploit of 2026 so far
With losses now estimated at $292 million, the KelpDAO breach stands as the largest defi exploit reported in 2026 to date. The incident adds to a steep spike in digital asset theft this month:
- more than $606 million has been stolen across 12 incidents in April alone
- that figure is 3.7 times larger than the total stolen in the entire first quarter
- year-to-date losses from hacks have surpassed $771 million across 47 events
The concentration of high-value attacks is increasingly focused on cross-chain and infrastructure-level protocols, reflecting where the most liquidity and systemic leverage now sit in defi.
Market confidence hit and liquidity pulled from defi
The KelpDAO exploit has fed into a wider loss of confidence in decentralized finance platforms. Following the breach, over $15 billion in capital has been withdrawn from defi protocols in a matter of days, as users reassess counterparty and smart contract risk.
Aave, a major lending protocol that had integrated KelpDAO’s rsETH token, saw deposit outflows of around $10 billion. In response, Aave froze the rsETH market to contain potential spillover and limit further damage from the compromised asset.
Contagion risk spreads beyond directly hacked platforms
Liquidating large amounts of stolen tokens can create abrupt selling pressure, weighing on market prices of the affected assets and associated derivatives. Platforms linked to exploited protocols may be forced into defensive actions such as market freezes, collateral parameter changes, or emergency governance votes.
For traders, awareness of which platforms and markets are exposed to compromised assets is increasingly critical. Even protocols that were not directly attacked can experience liquidity stress, disrupted functionality, or confidence shocks when they are tightly integrated with a hacked asset or cross-chain bridge.
Worried about hacks like KelpDAO’s? Strengthen your defenses with Toobit Academy’s guide on crypto safety standards today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
