News linked to both this project and an event.
According to Onchain Lens monitoring, the Balancer attacker (0xa6d6...BDaA) exchanged 13,191 ETH for 386.52 BTC, worth $30.54 million, over the past 15 hours. The attacker currently still holds 8,000 ETH, valued at $18.52 million.
According to on-chain analyst Yujin (@EmberCN), the hacker who stole approximately $98 million in assets from Balancer last November is today exchanging ETH for BTC via THORChain. So far, 7,000 ETH have been swapped for 204.7 BTC—valued at roughly $15.88 million—and the process continues. Additionally, it has been disclosed that this address currently holds 15,000 ETH on Ethereum, valued at approximately $34.65 million, and 204.7 BTC on Bitcoin.
According to on-chain analyst Onchain Lens (@OnchainLens), the Balancer hacker’s address has reactivated after five months of dormancy, transferring 100 ETH (approximately $233,000) to a new wallet and beginning fund transfers via ThorChain. The hacker currently still holds 21,900 ETH, valued at approximately $51.13 million.
According to information on the governance forum page, Mantle plans to provide Aave with a loan of 30,000 ETH to help it address the non-performing loan risk triggered by the recent attack. According to analyst Yujin’s statistics, confirmed rescue funds now cover a shortfall of approximately 43,500 ETH.
According to Onchain Lens monitoring, the Balancer attacker, dormant for five months, has transferred 100 ETH (approximately $233,000) to a new address and begun transferring funds through Tornado Cash.The attacker currently still holds 21,900 ETH, valued at approximately $51.13 million.
According to The Block, JPMorgan analysts noted in their latest report that ongoing DeFi security vulnerabilities and stagnant growth in total value locked (TVL) continue to constrain institutional enthusiasm for the DeFi sector. Recently, Kelp DAO’s cross-chain bridge suffered a major attack, during which the attacker minted $292 million worth of uncollateralized rsETH tokens and borrowed real ETH on Aave, resulting in approximately $230 million in bad debt. This caused DeFi TVL to evaporate by roughly $20 billion within several days. LayerZero and blockchain security researchers have attributed this attack to the North Korean hacker group Lazarus Group; some of the stolen funds have been frozen, while the rest remain in circulation. Analysts also pointed out that DeFi TVL denominated in ETH has remained range-bound for an extended period, raising market concerns about whether DeFi can achieve organic growth sufficient to support institutional adoption. Furthermore, following each security incident, users tend to shift funds into USDT as a safe-haven asset—yet this trend has not yet significantly driven USDT’s market capitalization growth.
According to information from the governance forum, Bybit’s public chain Mantle plans to lend 30,000 ETH to Aave to address the bad debt risks arising from recent security incidents.According to statistics from crypto analyst Ember (@EmberCN), the confirmed scale of bailout funds is estimated to cover a shortfall of approximately 43,500 ETH.
According to on-chain analyst Ember (@EmberCN), the rsETH incident on April 18 resulted in a funding shortfall of approximately 68,900 ETH (around $160 million): the hacker collateralized rsETH to borrow 99,600 ETH; after Arbitrum recovered 30,700 ETH, the remaining funds were fully converted by the hacker into BTC. The incident has now entered the remediation phase. Aave is coordinating the establishment of a “DeFi United” relief fund, which has so far received cumulative donations totaling 13,500 ETH (approximately $31.45 million). Donors include Lido Finance (2,500 stETH), ether.fi Foundation (5,000 ETH), Aave founder Stani Kulechov (5,000 ETH), Golem Foundation (1,000 ETH), as well as LayerZero and Ink Foundation (amounts undisclosed).
Aave released the latest update on the rsETH security incident on the X platform, announcing that it has paused rsETH reserve-related operations on the Ethereum mainnet as well as networks including Arbitrum, Base, Mantle, and Linea. This measure is intended to prevent excess aETHrsETH from being withdrawn, thereby pushing positions close to the 95% liquidation threshold. This action aims to preserve as much capital as possible and reduce systemic risk while the asset recovery plan is underway. Aave stated that further progress and resolution plans will be continuously disclosed to the community.
Aave announced the latest developments regarding the rsETH security incident on X, stating that rsETH-related reserve operations have been suspended on Ethereum Mainnet and on networks including Arbitrum, Base, Mantle, and Linea. This measure aims to preserve as much capital as possible and mitigate systemic risk while the asset recovery plan is underway. Aave stated that it will continue to disclose subsequent updates and resolution plans to the community.
Lido has released an update regarding the Kelp security incident, stating that its Earn-series vaults are working with the management team to address the issue, focusing on two key risk areas: rsETH exposure and tightening liquidity in lending markets. Lido emphasizes that its core staking protocol remains unaffected, and both stETH and wstETH remain secure and stable. Currently, only the EarnETH vault holds approximately 9% of its TVL in rsETH exposure; related deposits and withdrawals have been suspended by the management team pending resolution. Of the ~$70 million in ETH stolen in the earlier attack, roughly $70 million has already been recovered; asset recovery and loss allocation efforts are ongoing. To mitigate liquidity pressure, the management team has reduced leverage and optimized position structures, significantly decreasing wETH debt exposure. Should losses ultimately materialize, EarnETH will activate its $3 million “first-loss protection mechanism,” funded by the DAO. Other vaults remain unaffected: DVV and EarnUSD are operating normally. The GGV sub-vault is currently experiencing negative yields due to a combination of recursive staking strategies and rising borrowing rates, but active adjustments are underway. Users’ previously submitted withdrawal requests will be processed at pre-incident valuations.
According to on-chain analyst Yujin (@EmberCN), the KelpDAO hacker, over a period of approximately one and a half days, has converted nearly all 75,700 ETH (valued at roughly $175 million) on Ethereum into BTC—primarily via the cross-chain protocol THORChain. This money-laundering activity generated approximately $800 million in trading volume and $910,000 in platform fees for THORChain.
According to on-chain analyst PeckShield (@PeckShieldAlert), the KelpDAO attacker has transferred ETH from Ethereum to Arbitrum via the Across Protocol, swapped it for USDT, and then routed the funds to TRON DAO via LayerZero.
According to an official post by Umbra (@UmbraCash), the privacy payment protocol Umbra was used to transfer funds related to a recent hacking incident, involving 349 ETH (approximately $800,000). Umbra stated that, as its privacy address system primarily protects the recipient’s identity—not the sender’s—it offers limited practical assistance to hackers attempting to obscure the origin of stolen funds. All stolen funds remain identifiable and traceable. The team has been in active communication and collaboration with security researchers. Umbra also noted that the protocol is powered entirely by autonomous smart contracts; thus, the team cannot prevent anyone from using the contracts or self-hosted frontend versions. In support of fund recovery efforts, the team placed the hosted frontend into maintenance mode at 6:45 a.m. ET on April 21. Access will be restored once it is confirmed that doing so will not impede the recovery process. The protocol itself continues operating normally, and all funds held within privacy addresses remain secure.
According to on-chain analyst Ai Yi's monitoring, the Venus attacker transferred 2,301 ETH (approximately $5.32 million) to address 0xa21…23A7f 11 hours ago. Subsequently, the funds were laundered in batches via Tornado Cash. Currently, there is still $17.45 million worth of ETH remaining on-chain.
According to on-chain analyst Yu Jin, the KelpDAO hacker began laundering and transferring ETH yesterday afternoon, and by now should have laundered 34,500 ETH (worth $80 million).Most of this ETH was cross-chain swapped into BTC via THORChain, which consequently earned a significant amount in "toll fees":1. THORChain's trading volume surged to $360 million over the past 24 hours, compared to an average daily volume of only $20 million previously.2. THORChain's platform fee revenue reached $420,000 over the past 24 hours, whereas its daily fee income was only $5,000 before.
According to on-chain analyst Specter (@SpecterAnalyst), the North Korean hacking group TraderTraitor began laundering stolen funds from KelpDAO at approximately 3 a.m. Beijing time today—just three hours after the Arbitrum Council froze 30.7 ETH (approximately $71 million). The attackers split the remaining funds across three wallets, holding roughly 25,000 ETH (~$57.6 million), 25,700 ETH (~$59.2 million), and 25,000 ETH (~$57.9 million), respectively. The third wallet immediately initiated laundering operations and now holds only about 3,800 ETH (~$8 million). The majority of the funds were bridged to the Bitcoin network via THORChain, with approximately 99% flowing through this protocol. As a result, THORChain’s daily trading volume surged to $211 million—more than ten times its 30-day average—and generated roughly $189,000 in fees. During this laundering process, the illicit proceeds were also commingled with funds stolen in the BTC Turk (2025) and Bybit (2025) hacks. To date, approximately 442 BTC (~$33 million) linked to these incidents have been traced on the Bitcoin network, and over 400 addresses have been utilized throughout the entire laundering operation.
Odaily News According to monitoring by crypto analyst Ai Yi @ai_9684xtpa, the KelpDAO attacker has transferred 50,700 ETH to 2 new addresses, valued at approximately $118 million.
On-chain investigator ZachXBT updated that funds related to the KelpDAO attack have begun moving: approximately $1.5 million has been cross-chained from Ethereum Mainnet to the Bitcoin network via Thorchain, and roughly $78,000 has been transferred via Umbra. The attacking address initially sourced its funds from Tornado Cash, and fund laundering and cross-chain transfers are ongoing.
According to PeckShield’s monitoring, the KelpDAO attacker has transferred 75,700 ETH to two new addresses.