Points of Focus

• KelpDAO attacker swaps 75,700 ETH into Bitcoin within 36 hours.
• Cross-chain activity generates $800M THORChain volume and $910K fees.
• Shift complicates recovery efforts as funds move beyond Ethereum tracking.

A wallet linked to the KelpDAO exploit has converted nearly $175 million worth of Ether into Bitcoin in under two days, shifting from passive holding to active cross-chain movement.

The transactions, tracked on-chain and highlighted by EmberCN, were largely executed via THORChain, a decentralized protocol that enables direct swaps between blockchains without intermediaries.

The activity highlights how quickly large volumes of capital can move across DeFi infrastructure once containment efforts begin to take effect.

The KelpDAO hacker has swapped nearly all of its 75,700 ETH holdings, worth about $175 million, into BTC over roughly a day and a half.

The cross-chain swaps were primarily routed through THORChain. Due to the sheer size of the transactions, the laundering activity also… pic.twitter.com/LM1d9hWL7j

— Wu Blockchain (@WuBlockchain) April 23, 2026

ETH-to-BTC swap reshapes fund tracking dynamics

On-chain records show the attacker swapped approximately 75,700 ETH, moving the bulk of the funds into Bitcoin through a series of cross-chain transactions.

This conversion changes how investigators approach the case. Ethereum’s account-based system allows detailed tracking of token flows, but once assets move into Bitcoin’s UTXO model, tracing requires a different set of tools and assumptions.

Earlier intervention efforts had already frozen roughly $70 million in ETH on Arbitrum, based on updates from Arbitrum’s Security Council and protocol disclosures. That likely accelerated the attacker’s decision to rotate assets rather than risk further seizures.

KelpDAO Exploit Update

The $292M attacker has moved 76K ETH ($175M) to new wallets, signaling active laundering. Funds are flowing through Umbra, and bridging via THORChain to BTC, while $71M has been frozen on Arbitrum.

Check out the full article: pic.twitter.com/u7skFCGSSS

— Arkham (@arkham) April 22, 2026

THORChain volume surge highlights cross-chain liquidity power

The scale of the operation had a visible impact on THORChain itself. The swaps generated close to $800 million in trading volume and around $910,000 in fees within a short window, according to on-chain estimates shared by EmberCN.

This activity did not reflect organic market demand. It was driven by a single entity executing large cross-chain conversions. Still, it highlights the depth of liquidity available in decentralized cross-chain systems, where large transactions can be processed without centralized oversight.

Large single-entity flows at this scale can distort perceived network activity, making volume spikes difficult to interpret without context.

THORChain’s design allows users to swap native assets directly, a feature that removes friction but also limits the ability to intervene once transactions begin.

only reason a hacker runs their illicit funds through thorchain to btc rather than just shoving it into tornado for the future is they have a clear OTC buyer and washer to get clean funds out the other side

but the buyer is retarded

best thing to do with illicit funds is put it…

— Clouted (@CloutedMind) April 22, 2026

Why Bitcoin remains the preferred exit route

The move from Ether to Bitcoin mirrors behavior observed in previous large-scale exploits, where attackers shift into Bitcoin to access deeper liquidity and alternative routing options. Bitcoin offers broader access to mixing services and cross-chain pathways, making it a practical choice for actors attempting to fragment and move funds further.

At the same time, the shift doesn’t make funds invisible. Blockchain intelligence platforms such as Arkham continue to track associated addresses, and cross-chain analysis techniques have improved in recent years.

This creates a mixed picture. While recovery becomes more complex, it isn’t necessarily impossible, especially if funds interact with monitored services.

DeFi stress persists as ecosystem responses continue

The broader impact of the KelpDAO exploit is still unfolding. Lending protocols and liquidity providers remain exposed to aftereffects such as unresolved bad debt and disrupted collateral positions linked to the exploit.

Aave founder Stani Kulechov said recovery efforts are ongoing and focused on restoring stable conditions, while KelpDAO confirmed coordination with partners and security groups to pursue resolution.

These responses point to a coordinated effort across protocols, but they also highlight a limitation. Once funds move across chains at this scale, response mechanisms become reactive rather than preventative.

The past few days have been intense, but I wanted to give some updates as we continue to work on this. Our priority is our users, and every decision we are making is aimed at an orderly return to normal market conditions and the best possible outcome for everyone involved.…

— Stani (@StaniKulechov) April 22, 2026

The latest fund movement shifts the focus from the exploit itself to how capital exits the system once initial defenses are triggered. It shows how quickly attackers can adapt, and how cross-chain infrastructure, while efficient, can also accelerate risk when large volumes move without friction or oversight.