The attacker behind KelpDAO’s nearly $300 million rsETH exploit is now laundering funds from Ethereum to Arbitrum and into Tron-based USDT.
Summary
- KelpDAO’s exploiter is moving roughly $300 million in stolen funds through Arbitrum and into Tron-based USDT.
- The hack could cool Wall Street’s appetite for blockchain and tokenization deals.
- SlowMist flags new “MacSync Stealer” macOS malware draining crypto wallets, compounding security fears.
The attacker behind the nearly $300 million KelpDAO exploit has begun laundering the haul, routing funds through Arbitrum and into Tron-based stablecoins, in a move that heightens fears over recoverability and traceability across DeFi.
On-chain data shows the exploiter bridging rsETH-derived assets to Arbitrum, swapping into $USDT, and then pushing value into the Tron ecosystem, a pattern investigators say is designed to fracture the audit trail and exploit liquidity on multiple networks.
Analysts warned in a note that the roughly $293 million KelpDAO breach “may force major Wall Street banks to reassess the pace” of their blockchain and tokenization projects, arguing the incident exposes “critical infrastructure risks associated with cross-chain bridges and single-validator configurations.”
Andrew Moss, a digital assets analyst at Jefferies, said the exploit is likely to “prompt major Wall Street banks to reconsider their blockchain initiatives,” even if long-term use cases like stablecoins for cross-border payments remain intact.
The April 18 exploit drained 116,500 rsETH — worth about $290 million to $293 million — from KelpDAO’s bridge, in what research desks have called 2026’s largest DeFi loss so far.
LayerZero, whose infrastructure underpinned the rsETH bridge, said the incident was isolated to Kelp’s 1-of-1 verifier setup and followed a compromise of RPC nodes, while KelpDAO has pushed back, arguing it implemented LayerZero’s own defaults and that “one forged signature was enough to make any cross-chain message look real.”
As investors pulled an estimated $15 billion from DeFi following the hack, the KelpDAO incident has amplified concerns that bridge design and validator assumptions are becoming systemic risk points for blue-chip protocols and institutional experiments alike.
Yahoo Finance reported that North Korean-linked attackers have stolen nearly $600 million from on-chain applications in the first quarter alone, with KelpDAO’s $294 million loss emerging as the latest shock to already cautious institutional allocators.
Adding to the anxiety, blockchain security firm SlowMist issued an alert about an active macOS malware strain dubbed “MacSync Stealer” (v1.1.2), which it described as “high-risk” information-stealing malware targeting crypto users.
According to SlowMist, MacSync Stealer is capable of exfiltrating cryptocurrency wallets, browser-saved credentials, system keychains, and infrastructure keys such as SSH, AWS, and Kubernetes, often using fake AppleScript pop-ups to trick users into entering their passwords.
SlowMist urged users “to avoid running macOS scripts from unverified sources and to be especially cautious of unexpected prompts for system passwords,” noting that indicators of compromise have already been shared with partners.
With three of the day’s top headlines tied to macOS malware or DeFi bridge exploits, and Jefferies warning that marquee hacks like KelpDAO’s could “temporarily slow TradFi tokenization adoption as firms reassess security risks,” the gap between crypto’s technical attack surface and Wall Street’s risk tolerance is suddenly front and center.
