The KelpDAO hack has taken a new route with attackers now draining the stolen amount to other wallets.
Media reports from Tuesday suggest that the entity behind the roughly $290 million breach of Kelp DAO has begun shifting large amounts of stolen Ether to new wallet addresses.
Market participants are viewing the move as the first step in trying to disguise the trail of funds after a hack. The tactic has been constant across other hacks as well wherein attackers quickly spread assets across multiple wallets to make tracking and recovery of funds more difficult.
Arkham data suggests fund movement
According to information released by blockchain analysis firm Arkham, the wallet associated with the heist transferred roughly 75,700 ether, valued at almost $175 million, in three distinct transactions on Tuesday.
The transfers involved sending 25,000 ETH to a new wallet address alongside 50,700 ETH and a minor amount of 0.7 ETH to another destination address. Such activities usually occur once hackers have successfully stolen tokens and begun organizing them prior to liquidation or transfer between blockchains.
On his Twitter account, blockchain tracker ZachXBT reported that some of the stolen assets were starting to pass through privacy solutions used for hiding cryptocurrency movements.
Further, he highlighted multiple transfers via THORChain amounting to roughly $1.5 million, as well as an additional transaction of $78,000 via the privacy service Umbra.
Such developments suggest that the hacker may be getting ready to dispose of or hide the tokens in question.
KelpDAO attack history
The hacking attempt against Kelp DAO happened on Saturday, and the hackers were able to steal about 116,500 restaked Ether (rsETH). The value of the stolen funds amounted to about $290-293 million, which places the hack amongst some of the biggest exploits seen in the DeFi space.
The funds were taken from a cross-chain bridge built using technology from LayerZero, which is typically used to move tokens and data securely between different blockchain networks.
In the aftermath, LayerZero said the breach appeared to stem from how the bridge’s security was set up. The system relied on a 1-of-1 verifier model, meaning a single entity was responsible for validating cross-chain transactions.
LayerZero highlights that this was a definite weakness, since the system would be susceptible to an attack in which attackers could send unapproved transactions because the single verifier could not stop them.
The firm further noted that they had warned people to avoid using a single-verifier model, especially when dealing with a platform that involves the movement of huge amounts of money. They said that several verifiers were necessary to verify each transaction.
Industry peers speak out
The hack of Kelp DAO had a lasting effect on the entire DeFi ecosystem as platforms worked to limit their losses and protect the remaining funds. Shortly after the breach, Arbitrum confirmed that its 12-member security council had stepped in to freeze 30,766 Ether (ETH) linked to the incident.
The funds were moved into what officials described as an “intermediary frozen wallet,” meaning the assets are effectively locked and can only be accessed if the network’s governance body approves it.
Moreover, the repercussions of the hack even extended to lending service Aave, with reports that the hacker used part of the proceeds to act as collateral when borrowing on the platform.
Initial estimates indicated that the platform may be dealing with a deficit of approximately $195 million. But according to an analysis released afterward by Aave, the possible losses could range from anywhere between $123.7 million to $230.1 million, contingent upon the amount of collateral that can be salvaged or restored.
It has been difficult for authorities to trace and recover the stolen crypto due to the decentralized nature of the hacker’s activities on platforms like THORChain.
Unlike conventional financial service providers, the network does not conduct any form of identity verification, making it increasingly difficult for relevant agencies to trace the transactions once the process starts to unfold among various blockchain networks.
On another front, there has been a heated discussion regarding the cause behind the hack. One of the infrastructure providers, LayerZero, highlighted the system configuration as the key issue. According to the provider, the single-validator system configuration was the primary flaw.
Furthermore, LayerZero implied that it could be the Lazarus Group behind the attacks, one of the notorious groups involved in various cyberattacks on blockchain platforms.
Contrarily, Kelp DAO dismissed the claim entirely, stating that the single-validator system configuration is not a unique form of customization, as it is the default in LayerZero. Accordingly, the firm says that the hacking was based on the vulnerable validator system from LayerZero.