There has been an important development regarding the monitoring and tracking of funds in the Kelp DAO attack, which was recorded as one of the biggest cyber attacks of the year in the cryptocurrency industry. The Kelp DAO protocol on Ethereum suffered a loss of approximately $292 million as a result of a series of manipulations last week and was on the agenda of the crypto community. Now, experts trying to trace these stolen assets report that the attacker has started to move hundreds of millions of dollars to different networks.
Monitoring funds after the attack
According to the latest findings shared by PeckShield, one of the blockchain security companies, and analyst ZachXBT, the attacker has started to use various methods to lose track of stolen cryptocurrencies in recent days. According to the analysis, transfer moves from ETH mainnet to Bitcoin took place through privacy-enhancing protocols such as THORChain and Umbra.
PeckShield stated that a total of $176 million worth of assets started to be sent to different platforms such as THORChain, Umbra, Chainflip and BitTorrent. The on-chain analysis group called Ember CN pointed out that the attacker tried to move 75 thousand 700 ETH, approximately 175 million dollars, out of Ethereum after the freezing process in the Arbitrum network.
It is worth noting that these figures have not yet been independently confirmed by the Kelp DAO or LayerZero.
Technical details of the attack and discussion of responsibility
Kelp DAO is a protocol that operates in the field of decentralized finance and stands out in the DeFi ecosystem with its rsETH bridge on Ethereum. In the attack; Vulnerabilities in the bridge design, the message verification process, and the message infrastructure of the connected platform LayerZero became the focus of controversy.
Ari Redbord, policy manager at TRM Labs, stated that the attacker withdrew approximately 116,500 rsETH from the protocol by acting through a seemingly fake message in LayerZero’s lzReceive flow. It is noted that this amount corresponds to approximately 18% of the total rsETH in circulation;
Redbord emphasized that with this fund outflow, the incident quickly turned into a major inter-chain security vulnerability, and the attack stood out as one of the largest decentralized finance leaks of recent years.
Following the attack, LayerZero suggested the North Korea-linked Lazarus group may be responsible for the incident, pointing out that the exploit was the result of a single-point structure in the message verification process. Kelp DAO, on the other hand, shifted the responsibility to LayerZero’s system.
Impact on the DeFi market and new fund movements
The freezing of approximately $71 million of ETH related to the attack on the Arbitrum network was among the most concrete steps so far. Despite this intervention, the attacker turned to different methods and did not delay in transferring the stolen crypto assets, part by part, to new networks.
Following the incident, platforms such as Aave, SparkLend, Fluid and Upshift, which have contact with rsETH in DeFi protocols, took steps to reduce their risks and re-evaluate their collateral. In this process, many discussions have arisen on collateral quality, preservation of fixed value, and cross-chain debt scenarios.
Although the size of post-attack fund movements has not been fully determined, recent transfers to privacy-focused networks such as THORChain and Umbra show that the attackers are preparing for escape routes. According to experts, such transactions make it significantly difficult to track and return stolen money.
However, it is emphasized that the new transfers detected are still limited compared to the total damage, but the attackers have started to test different routes instead of settling the funds.
While recent events once again reveal the importance of the first freeze made through Arbitrum, it shows that aggressive funds are being pursued and new transfers make it increasingly complicated to trace assets.
