News
22 Apr 2026, 08:30
Attackers behind KelpDAO breach help lift Bitcoin

The effects of the KelpDAO attackers go deeper, this time affecting even BTC trading. Some of the funds from the exploit were moved through ThorChain and swapped into BTC. The KelpDAO hack has wider effects on the crypto ecosystem, as the hackers attempt to swap and mix their holdings. The latest move showed the funds moved through ThorChain and were swapped into BTC. The hack brought another $211M in spot buying to BTC, and was one of the factors that sent BTC above $78,000. BTC rallied within hours, launching from its lower range of $75,000. For now, BTC rejected the $78,000 level, but the hackers indicated that the market would react to an inflow of buyers. KelpDAO boosted ThorChain volume ThorChain has been one of the platforms widely used to swap funds in a totally permissionless environment. In previous hacks reported by Cryptopolitan, ThorChain’s team has not cooperated to intercept the funds during bridging or other visible operations. The chain has not even set up a mechanism to intercept funds, as all transactions depend on 95 permissionless nodes. THORChain was modelled after Bitcoin, to be permissionless and censorship resistant. There’s no single person or entity in control of the protocol. There’s no admin key. There’s no 2-of-3 multisig. Currently, there’s 95 nodes spread globally that control the network. For the… pic.twitter.com/Za2Obrh9dO — THORChain (@THORChain) April 21, 2026 During previous incidents, ThorChain has allowed funds to be mixed and disguised, citing its main goal of not interfering. Yet after Web3 hacks accelerated in the past month, all participants reconsidered the need to freeze funds and diminish the losses. The KelpDAO attackers moved funds just three hours after Arbitrum froze around 25% of their haul on the network. One of the identified wallets was used to move and swap ETH, based on Arkham Intelligence tracking . The hacker’s activity boosted ThorChain activity to 10 times its normal daily volume, ending up with 442 BTC moved to 400 addresses. On-chain researchers have pinpointed some of the key addresses with the biggest holdings. The coins can be mixed further or swapped into privacy coins to disguise their origin. ThorChain posted its biggest daily fees after the KelpDAO attackers used the protocol to swap ETH for BTC. | Source: DeFiLlama . Following the attack, ThorChain recorded its highest daily fee volume for the year to date. The network helped the hackers perform on average 146 transactions an hour. KelpDAO attackers moved funds to the Bitcoin chain Additional on-chain research shows the funds from the KelpDAO hack were mixed with proceeds from other incidents, including the BTC Turk and Bybit attacks from 2025. ThorChain also refused to assist with the Bybit hack, though other ecosystem participants were ready to freeze funds where possible. The latest laundering episode shows the TraderTraitor group and other DPRK hackers were an increasing threat to Web3. The ability to launder funds is adding more risk, as hackers have evolved their techniques for faster and untraceable laundering. After using ThorChain, the hackers moved all BTC on the main network, where the coins could be traced, but not frozen. The KelpDAO exploit also affected other networks, creating significant outflows. Ethereum lost 17.73% of its total value locked, 17.68% flowed out of Hyperliquid, Arbitrum lost 13.65% of its liquidity, and Solana saw 6.14% in outflows. The lost funds may have wide repercussions on Web3, due to the composability of DeFi lending and reusing some coins for collateral on other protocols. The final estimate is that the hack led to around 177M in bad debt on Aave. Still letting the bank keep the best part? Watch our free video on being your own bank .
22 Apr 2026, 07:45
Another DeFi protocol loses millions in hack days after KelpDAO breach

Volo Protocol lost about $3.5 million from three vaults holding WBTC, XAUm, and USDC.
22 Apr 2026, 07:40
Arbitrum Freezes $71M in ETH Linked to Kelp Exploit

Arbitrum's Security Council froze 30,766 ETH worth $71M linked to the Kelp DAO exploit on 20 April 2026. The funds are held in a governance-controlled wallet, inaccessible to the original address.
22 Apr 2026, 05:00
Arbitrum Acts Fast: $71M In Ether Locked After Kelp Security Breach

Nine out of 12 council members voted yes. That detail alone tells you how divided — and how serious — the conversation inside Arbitrum’s security council got before the blockchain took its most dramatic action in recent memory. A Council Under Pressure Griff Green, a sitting member of the Arbitrum Security Council, said the group wrestled with the decision for hours. The debates covered technical, practical, ethical, and political ground before the vote was cast. “We did not make this decision lightly,” Green posted on X. In the end, the council moved 30,766 Ether — worth roughly $71.2 million — out of a wallet linked to the Kelp protocol exploit and into what Arbitrum described as “an intermediary frozen wallet.” I’m a member of the Security Council & I can tell you we did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political. But all it takes for evil to triumph is for good men to do nothing, so today, we decided to do… https://t.co/tArbmXwZKN — Griff Green – griff.eth (@griffgreen) April 21, 2026 The funds cannot be touched by the address that originally held them. Only a further action by Arbitrum governance can move them now. Law enforcement was part of the conversation. Arbitrum confirmed the council worked with authorities before acting, a detail that sets this incident apart from the usual back-and-forth that follows a DeFi hack. The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,… — Arbitrum (@arbitrum) April 21, 2026 The Hack That Started It All The chain of events began Saturday, when Kelp — a liquid restaking protocol — was hit through its LayerZero-powered bridge. Reports indicate the theft totaled at least $293 million. LayerZero, the cross-chain messaging protocol involved, publicly pointed the finger at North Korea as the group behind the attack. The damage did not stop at Kelp. Whoever carried out the exploit used stolen Kelp tokens to borrow other cryptocurrencies on Aave, the lending platform. That move left Aave holding what risk managers described as bad debt — losses that spread through the broader crypto lending market because of how tightly connected these protocols are to one another. so a council can just freeze 30k eth and we’re still calling this decentralized? — Sandy.ETH (@david_lee2085) April 21, 2026 Backlash From The Community Not everyone welcomed Arbitrum’s response. On X, several users pushed back hard , arguing that a blockchain capable of freezing funds on council orders cannot honestly call itself decentralized. The criticism cuts at a long-standing tension in the crypto world: security measures that protect users can also be the same tools that override them. Arbitrum said the council weighed its responsibilities carefully, taking care not to affect other users or running applications on the network. Whether that assurance satisfies critics remains an open question. What is clear is that 30,000-plus ETH is now sitting in limbo, and the next move belongs to Arbitrum governance. Featured image from Unsplash, chart from TradingView
22 Apr 2026, 03:00
Cardano Founder Warns KelpDAO Hack Exposes Ethereum’s Weakest Link

Cardano founder Charles Hoskinson used his latest livestream to argue that the roughly $292 million KelpDAO exploit was not just another bridge failure, but a broader warning about how Ethereum’s restaking, cross-chain messaging, and lending stack can turn a single compromise into system-wide contagion. In Hoskinson’s telling , the April 18 attack exposed what he sees as the most fragile part of modern DeFi: not necessarily application-level smart contracts, but the verification layers and interdependencies that sit between protocols. He said the exploit, which involved about 116,500 rsETH drained from KelpDAO’s Ethereum escrow, should force a wider industry conversation about bridge trust assumptions, verifier design, and the speed at which bad collateral can spread through lending markets. Cardano Founder Warns Of Dangerous Flaw At The Heart Of Ethereum DeFi Rather than deliver a standard postmortem, Hoskinson said he took internal incident-report material and used AI to turn it into a website that walked viewers through the mechanics of the exploit. That structure framed his larger point: the failure, as he described it, did not begin with broken contract math inside KelpDAO itself, nor with an obvious accounting flaw at LayerZero . Instead, he said it centered on a forged cross-chain message that was accepted as legitimate and allowed funds to be released on Ethereum. “So, this was not a smart contract issue with Kelp and this was not a smart contract issue with LayerZero, but this was a cross-chain message forgery,” Hoskinson said. “So this was something new and different.” The Cardano founder repeatedly returned to one design choice in particular: the reported use of a one-of-one verifier configuration. In his explanation, best practice would be a multi-verifier model such as three-of-five, but KelpDAO’s setup relied on a single active DVN. That, he argued, created an unacceptable single point of failure in a system already layered with staking wrappers, restaking protocols, bridges, and lending venues. “The failure was in the verification logic, not the application logic,” he said. “Kelp did everything right from their contracts. They’re audited. They’re working well. The application’s working well. It’s the bridge configuration.”Hoskinson also emphasized that the industry still lacks a settled account of exactly where responsibility lies. According to his summary, three separate root-cause analyses emerged after the exploit: one from LayerZero, one from KelpDAO, and one tied to LlamaRisk and Aave governance discussions but none fully agree. That leaves open whether the break occurred in the messaging layer, verifier setup, KelpDAO’s acceptance logic, or in the seams between them. What made the event especially significant, in his view, was not only the theft itself but what happened next. Instead of dumping the stolen rsETH on decentralized exchanges, the attacker allegedly used it as collateral in lending markets to borrow more liquid assets. That turned an exploit into a balance-sheet problem for other protocols, leaving what Hoskinson described as poisoned collateral behind. He called that dynamic the real novelty of the incident. “It wasn’t just a bridge hack. It spread to lending which then created bad debt contagion inside these lending protocols. It created a bank run and we saw $13 billion of TVL pulled in a very short period of time for a $290 million hack.” The Cardano founder said the broader DeFi liquidity shock reached far beyond KelpDAO itself. Citing public reporting referenced in his walkthrough, he pointed to at least nine directly affected protocols and said Aave alone saw between $6.6 billion and $8.45 billion in losses, while rsETH traded in a volatile range between about $1,600 and $2,500 during the 24 hours following the attack. He also raised the possibility of Lazarus involvement, though he acknowledged attribution remains unconfirmed. “There’s a lot of evidence here that there’s Lazarus connections,” he said, before adding that no independent forensics firms had definitively proven it. At press time, Cardano (ADA) traded at $0.2504.
22 Apr 2026, 02:25
Venus Protocol Hacker’s Shocking $5.3M Tornado Cash Laundering Move Exposes DeFi Vulnerabilities

BitcoinWorld Venus Protocol Hacker’s Shocking $5.3M Tornado Cash Laundering Move Exposes DeFi Vulnerabilities In a significant development for decentralized finance security, the perpetrator behind the Venus Protocol exploit has executed a sophisticated laundering operation, moving 2,301 ETH worth approximately $5.32 million through the privacy mixer Tornado Cash. This alarming transaction occurred on April 15, 2025, according to blockchain analytics, revealing ongoing challenges in tracking and recovering stolen digital assets. The hacker’s current holdings of roughly $17.45 million in Ethereum highlight the substantial financial impact of this security breach on the DeFi ecosystem. Venus Protocol Hack Timeline and Fund Movement Blockchain analyst ai_9684xtpa first identified the suspicious transactions eleven hours before public reporting. The hacker transferred the substantial Ethereum sum to a fresh wallet address initially. Subsequently, the perpetrator executed multiple transactions through Tornado Cash, effectively obfuscating the funds’ origin. This method represents a common pattern in cryptocurrency laundering operations following major exploits. Security researchers have documented the complete attack sequence with precision. First, the exploit targeted Venus Protocol’s lending mechanisms. Then, the attacker converted stolen assets to Ethereum for liquidity. Finally, the laundering phase began with the Tornado Cash transactions. Each step demonstrates increasing sophistication in evading detection systems. Tornado Cash’s Role in Crypto Laundering Operations Tornado Cash functions as a privacy-focused smart contract on the Ethereum network. The service breaks the traceability of cryptocurrency transactions by mixing funds from multiple sources. Users deposit assets into a shared pool before withdrawing equivalent amounts to new addresses. This process effectively severs the blockchain’s transparent audit trail between deposit and withdrawal addresses. Despite sanctions from regulatory bodies including the U.S. Treasury Department, Tornado Cash remains operational through decentralized infrastructure. The service has processed billions in cryptocurrency since its inception. Notably, it has become the preferred laundering tool for numerous high-profile cryptocurrency thefts. Security experts consistently identify Tornado Cash transactions in post-exploit forensic analyses. Historical Context of Major DeFi Exploits The Venus Protocol incident follows a troubling pattern in decentralized finance security. In 2024 alone, DeFi protocols suffered approximately $3.8 billion in losses from various exploits. These incidents typically involve flash loan attacks, oracle manipulations, or smart contract vulnerabilities. The table below illustrates recent comparable incidents: Protocol Date Amount Stolen Laundering Method Euler Finance March 2023 $197 million Multiple Mixers Poly Network July 2023 $34 million Cross-Chain Bridges Curve Finance July 2023 $73.5 million Tornado Cash Venus Protocol April 2025 $22.77 million+ Tornado Cash This historical context demonstrates the persistent challenge of fund recovery post-exploit. Moreover, it highlights the critical role privacy mixers play in cryptocurrency theft ecosystems. Security professionals emphasize that prevention remains more effective than post-theft tracking. Technical Analysis of the Venus Protocol Exploit The Venus Protocol attack exploited specific vulnerabilities in the platform’s price oracle system. Attackers manipulated asset prices temporarily through coordinated trading activities. Consequently, they borrowed assets against artificially inflated collateral values. This classic DeFi attack vector has compromised numerous protocols despite increased awareness. Security audits conducted before the incident reportedly identified potential vulnerabilities. However, implementation delays in patch deployment created exploitable windows. The attack’s technical sophistication suggests either insider knowledge or exceptional reverse engineering capabilities. Blockchain forensic teams continue analyzing the attack vectors to prevent future incidents. Key technical aspects of the exploit include: Oracle Manipulation: Temporary price distortion of specific assets Flash Loan Utilization: Large, uncollateralized borrowing for attack funding Collateral Exploitation: Borrowing against artificially valued assets Asset Conversion: Rapid swapping of stolen tokens for Ethereum Current Investigation and Recovery Efforts Multiple entities have launched investigations into the Venus Protocol exploit and subsequent fund movements. These include blockchain analytics firms, law enforcement agencies, and the Venus Protocol development team. Their collaborative efforts focus on identifying the attacker’s identity through advanced chain analysis techniques. Recovery possibilities remain limited once funds enter privacy mixers like Tornado Cash. However, investigators monitor subsequent transactions for potential identification points. The hacker’s remaining $17.45 million in Ethereum presents both a challenge and opportunity for tracking. Security experts note that moving such substantial amounts inevitably creates detectable patterns despite privacy measures. Impact on DeFi Security and Regulatory Landscape The Venus Protocol incident has intensified discussions about DeFi security standards and regulatory frameworks. Industry participants recognize the need for enhanced security measures across several dimensions. These include more rigorous smart contract auditing, real-time monitoring systems, and improved oracle reliability. Regulatory bodies worldwide are examining this case for policy implications. The use of Tornado Cash despite sanctions demonstrates enforcement challenges in decentralized ecosystems. Consequently, policymakers may propose new legislation targeting privacy-preserving protocols. Such developments could significantly alter the operational landscape for DeFi platforms and their users. The incident also affects user confidence in decentralized finance platforms. Security breaches undermine the foundational promise of trustless, transparent financial systems. Therefore, protocol developers face increasing pressure to implement robust security measures. Industry-wide initiatives for security standardization may emerge from this incident’s aftermath. Conclusion The Venus Protocol hacker’s movement of $5.3 million to Tornado Cash represents a critical case study in cryptocurrency security challenges. This incident highlights the sophisticated methods attackers employ to launder stolen digital assets. Furthermore, it underscores the ongoing difficulties in tracking and recovering funds once they enter privacy mixers. The DeFi community must address these security vulnerabilities through collaborative efforts and technological innovation. As the ecosystem evolves, robust security practices will become increasingly essential for mainstream adoption and regulatory acceptance. FAQs Q1: What is Tornado Cash and how does it work? Tornado Cash is a privacy-focused Ethereum smart contract that obscures transaction trails. Users deposit cryptocurrency into a shared pool and withdraw equivalent amounts to new addresses, breaking the visible connection between source and destination wallets through cryptographic mixing. Q2: How much did the Venus Protocol hacker steal originally? While the exact total varies by valuation timing, the exploit resulted in losses exceeding $22 million across various cryptocurrencies. The hacker currently holds approximately $17.45 million in Ethereum from these stolen assets, with $5.32 million already moved through Tornado Cash. Q3: Can funds moved through Tornado Cash be recovered? Recovery becomes extremely difficult once funds enter privacy mixers. While blockchain analysts can trace deposits into Tornado Cash, the mixing process intentionally severs the audit trail between incoming and outgoing transactions, making definitive tracking nearly impossible without additional identifying information. Q4: What security measures can prevent similar DeFi exploits? Effective prevention includes comprehensive smart contract audits, real-time monitoring for anomalous transactions, decentralized oracle networks with attack resistance, time-locked administrative functions, insurance mechanisms, and bug bounty programs that incentivize ethical disclosure of vulnerabilities. Q5: How does this incident affect ordinary DeFi users? Users may experience reduced platform functionality during security investigations, potential loss of funds if directly affected, increased scrutiny of DeFi platforms by regulators, and possibly more complex compliance requirements for future participation in decentralized finance ecosystems. This post Venus Protocol Hacker’s Shocking $5.3M Tornado Cash Laundering Move Exposes DeFi Vulnerabilities first appeared on BitcoinWorld .










































