KelpDAO Hacker Shifts 75,700 ETH to Fresh Wallets After Arbitrum Freezes Funds

The attacker behind the KelpDAO exploit moved 75,700 ETH—about $175 million—into two newly created wallet addresses on April 21, 2026, just hours after Arbitrum's Security Council said it had frozen 30,766 ETH tied to the same incident. Blockchain security firm PeckShieldAlert reported the transfers, which onchain data shows were split into two legs: roughly 25,000 ETH ($57.93 million) was sent to 0xF980…15910, and about 50,700 ETH ($117.48 million) went to 0xABc8…36FAD. Both transactions were flagged, and the originating address is labeled "Kelp DAO Exploiter 1" by onchain trackers. Investigators say the concern is not only the speed of the movement, but the routing. Small ETH transfers have already passed through Umbra Cash, which obscures transaction links using one-time addresses. CertiK also reported the attacker is moving funds toward Bitcoin via THORChain, a cross-chain system that enables swaps without relying on a centralized exchange. The combination can mask activity on Ethereum before shifting value out of the network, complicating recovery efforts. The original wallet has been nearly emptied, with about 0.768 ETH left—insufficient for meaningful future transaction fees—suggesting the operator has abandoned the address and moved operations to the new wallets. The 30,766 ETH previously frozen remains locked, but the 75,700 ETH now consolidated in the two new addresses is still unsecured. Market watchers are focused on whether Arbitrum's Security Council, law enforcement, and blockchain analysts can track and respond quickly to any further movements, which could reveal the attacker's next steps.