$600 Million Shock: Kelp DAO Hacker Takes Action
<p class="text-left mb-4 ">The series of attacks in the crypto market in recent weeks has created a serious disruption in the DeFi ecosystem. The recent bridge attack, particularly targeting the Kelp DAO, led to a sharp decline in both market capitalization and trust. Total losses exceeding $600 million in three weeks have increased pressure across the sector. Following the approximately $292 million attack on the Kelp DAO's cross-chain bridge, the DeFi market lost 5.6% of its value in a single day. This drop was one of the sharpest since 2024. The total value locked (TVL) in the sector fell to approximately $82.4 billion, reaching its lowest level in the past year. Considering the TVL was around $110 billion at the beginning of the year, the magnitude of the loss becomes clearer. The decline was felt most strongly in lending protocols. In this segment, TVL fell by approximately 13%, while liquid staking also saw losses exceeding 3%. Decentralized exchanges and derivatives platforms also took their share of this sell-off. Risk appetite weakened across the market, and investors' cautious stance was noteworthy. </p><h2 class="text-left text-foreground text-3xl font-bold mb-3 mt-1">The impact of the attack spread like wildfire</h2><p class="text-left mb-4 ">The attack was not limited to Kelp DAO alone. Some of the stolen assets were used as collateral on the Aave platform, raising the potential risk of "bad debt" in the protocol. <a href="https://jrkripto.com/tr/coin/aave" target="_blank" rel="noreferrer" class="text-primary underline">Aave </a>froze rsETH assets to limit the risk. However, this move led to liquidity crunch in some stablecoin markets, effectively locking up billions of dollars worth of assets.</p><p class="text-left mb-4 ">The technical details of the attack are also noteworthy. It is stated that the incident occurred on a bridge operating on the LayerZero infrastructure, and the attacker tricked the system by creating a fake cross-chain message. Initial findings suggest that the North Korea-linked Lazarus Group may be behind the attack. There is a significant exchange of accusations between the parties. LayerZero argues that the validation structure used by Kelp DAO creates a "single point of failure," while Kelp DAO states that this configuration is offered by default and has been previously approved. Aave is also indirectly involved in the same discussion. Although some developers within the sector emphasize that the parties should act together, no clear solution plan has yet been presented. </p><h2 class="text-left text-foreground text-3xl font-bold mb-3 mt-1">How the losses will be distributed is unclear</h2><p class="text-left mb-4 ">One of the most critical issues after the attack is how the damage will be shared. According to analyses, two main scenarios stand out. In the first scenario, the damage is spread across all rsETH holders, resulting in approximately a 15% loss in value. In this case, it is estimated that a deficit of approximately $120 million could occur on Aave.</p><p class="text-left mb-4 ">In the second scenario, the majority of the losses are borne by Layer 2 users. In this case, some assets may experience a value loss exceeding 70%, and the total damage could be even greater. It is not yet clear which scenario will be implemented.</p><h2 class="text-left text-foreground text-3xl font-bold mb-3 mt-1">Arbitrum intervenes</h2><p class="text-left mb-4 ">Following the developments, Arbitrum took an important step. Arbitrum Security Council froze approximately 30,766 ETH at an address linked to the attack. It was announced that these assets, worth approximately $71 million, cannot be moved until the governance process is complete.</p><p class="text-left mb-4 ">However, it appears the attacker has not been completely stopped. According to on-chain analysis, some of the stolen funds have begun to be moved to different networks. Following the freezing of 30,766 ETH linked to the KelpDAO attack on Arbitrum, the attacker appears to have accelerated their movements. According to EmberCN data, the attacker has begun distributing approximately 75,700 ETH (worth approximately $175 million) to different addresses on the Ethereum mainnet. Numerous small transfers, particularly via UmbraCash, indicate an attempt to fragment the funds and cover their tracks.</p><p class="text-left mb-4 ">
<figure class="my-6">
<img src="https://minio-api-1.jrkripto.com/blog/ekran-g-r-nt-s-2026-04-21-123522-b383253b.webp" alt="Ekran görüntüsü 2026-04-21 123522.png" width="auto" height="auto" class="w-full rounded-lg border" />
</figure>
</p>
