has become a defining case study in systemic DeFi risk. Here is the expanded intelligence on the laundering operation, the Aave liquidity collapse, and the specific security failures involved.
1. The Laundering: A Masterclass in Cross-Chain Speed
The exploiter, linked to North Korea’s Lazarus Group, executed a highly efficient exit strategy after minting 116,500 rsETH (approx. $292M) out of thin air via a message-forgery attack.
• THORChain as a Black Box: Within 36 hours of the hack, the attackers routed nearly 75,700 ETH ($175M) through THORChain, swapping it directly into Native Bitcoin. By utilizing THORChain’s permissionless, non-custodial nodes, they successfully bypassed centralized exchange (CEX) freezes and mixed the funds before the Bitcoin rally to $78,400.
• The Arbitrum "Stumble": The only significant recovery occurred on April 21, when the Arbitrum Security Council used emergency intervention powers to freeze 30,766 ETH ($71M) held on the Arbitrum One network. This was a "jurisdictional" win: while the council could "steal back" the funds on their Layer 2, they had no power over the remaining $175M on Ethereum Mainnet.
• Privacy Layer: Small portions of the loot (approx. $78,000) were also detected moving through the Umbra privacy protocol to obscure the digital trail further.
2. Aave's $16B "Ghost" Crisis
Aave’s TVL didn't just drop; it underwent a structural liquidity collapse. Although Aave’s core smart contracts remained secure, the protocol’s risk management was weaponized by the hacker.
• Bad Debt Mechanics: The hacker deposited the unbacked rsETH into Aave V3 as collateral to borrow $190M in WETH and other assets. Because the rsETH had no real value, Aave was left with an estimated $196M to $230M in bad debt once the KelpDAO bridge was confirmed compromised.
• The 100% Utilization Trap: As whales and institutions (including Justin Sun) scrambled to withdraw, the WETH and USDT markets hit 100% utilization. This meant many regular depositors were effectively locked in, unable to withdraw their funds because the pools were completely drained by the panic.
• Flight to Quality: Over $1.3B of the withdrawn capital immediately rotated into SparkLend and other "hard" collateral protocols, signaling a massive loss of faith in Liquid Restaking Tokens (LRTs) as viable collateral.
3. Bridge Security: The "1-of-1" Single Point of Failure
The post-mortem from Chainalysis and LayerZero Labs revealed that this was not a code bug, but an infrastructure takeover.
• The RPC Compromise: Lazarus Group didn't hack the smart contracts. Instead, they compromised the internal RPC nodes used by the LayerZero Decentralized Verifier Network (DVN). They fed forged data to the verifier while simultaneously launching a DDoS attack on external nodes to prevent them from "correcting" the lie.
• The 1-of-1 Configuration: A major public feud erupted between KelpDAO and LayerZero. LayerZero revealed that KelpDAO had used a 1-of-1 DVN setup—meaning only one verifier needed to be fooled to release the bridge funds.
• Lazarus Sophistication: The malware used on the RPC nodes was engineered to self-destruct and wipe all logs/binaries once the $292M was released, leaving investigators with a "cold" digital crime scene.
The Bottom Line for 2026
This event confirms that while on-chain code is getting safer, off-chain infrastructure (RPCs/Oracles) and cross-chain verifier configurations are now the primary targets. The "Kelp Contagion" has forced a massive industry-wide shift toward Multi-Sig DVNs and lower LTVs for restaked assets. 🛡️🌉📉
#KelpDAO #Aave #LazarusGroup #DefiExploits #BridgeSecurity #Arbitrum #THORChain
Complete Laundering Operation
The KelpDAO exploiter swapped nearly all 75,700 stolen ETH (worth $175M) into Bitcoin through THORChain in just 36 hours, narrowing recovery to only Arbitrum's frozen portion.
DeFi Contagion Spreads
Aave TVL collapsed from $45.8B to $29.6B, losing $16.2B in deposits as the exploit created $230M bad debt and triggered panic withdrawals across protocols with no direct exposure.
Bridge Security Crisis
LayerZero attributed the attack to North Korea's Lazarus Group, highlighting cross-chain bridges remain the weakest link with 2026 exploit losses matching 2025 levels.$ETH
