Kelp Attackers Move 1,979 BTC: DeFi Stolen Funds Are Fully Moving “Off-Chain”

DeFiSecurityLaunderingCrossChainBTCTHORChainKYT

Stolen Funds Are Fully Exiting the DeFi Ecosystem

According to on-chain monitoring data from PeckShield, KelpDAO attackers have completed a large-scale fund transfer, moving nearly all stolen assets from Ethereum into the Bitcoin network, totaling approximately 1,979 BTC. The transfer was primarily executed through THORChain and similar cross-chain protocols, marking a near-complete exit of funds from the DeFi ecosystem.

This indicates that the stolen assets are no longer circulating within DeFi protocols but are instead being progressively moved into the Bitcoin network, where traceability is significantly more difficult.

THORChain Becomes the Core Cross-Chain Routing Layer

In this incident, THORChain played a central role as the primary cross-chain settlement infrastructure. Attackers used it to convert ETH and related derivatives into BTC across multiple routing steps.

Because THORChain enables permissionless asset swaps between chains, it significantly reduces traceability continuity, making it difficult for traditional single-chain analytics tools to reconstruct full transaction paths.

Balancer Attacker Reactivates After Months of Inactivity

At the same time, a separate but related pattern emerged. An attacker linked to the earlier Balancer exploit has reactivated after five months of dormancy, beginning to convert approximately $700,000 worth of ETH into BTC via THORChain.

This suggests that cross-chain laundering strategies are not isolated incidents but part of a repeatable operational framework reused across different exploits.

Cross-Chain Laundering Is Becoming Industrialized

Recent on-chain behavior indicates a structured and repeatable laundering pipeline:

  • Ethereum as the entry asset layer
  • THORChain as the cross-chain conversion layer
  • Bitcoin as the final settlement layer

This creates a systematic “fragment–convert–consolidate” model that reduces traceability while increasing operational efficiency for attackers.

On-Chain Monitoring Enters the Cross-Chain Era

With the rise of cross-chain protocols and routing infrastructures, assets are no longer confined to a single blockchain. As a result, single-chain monitoring tools are becoming insufficient for tracking real risk exposure.

In this environment, cross-chain risk correlation systems are required to reconstruct full fund flows. Solutions such as Trustformer KYT can help identify abnormal cross-ecosystem movements by analyzing multi-chain behavioral patterns and linking fragmented transaction paths.

About Trustformer

Trustformer is a leading blockchain security and compliance technology company specializing in providing professional risk management and compliance solutions for the global cryptocurrency ecosystem. We have developed the cutting-edge Trustformer KYT (Know Your Transaction) platform, which integrates artificial intelligence, blockchain analytics, and regulatory technology to deliver comprehensive, accurate real-time transaction monitoring, risk assessment, and suspicious activity reporting services.

With deep industry expertise and technological innovation, Trustformer is dedicated to helping Virtual Asset Service Providers (VASPs), crypto financial institutions, and investors build a safer and more transparent crypto financial environment. We believe that driving compliance and trust through technology can contribute to the thriving growth of the global digital economy.