After the KelpDAO was attacked, what the market saw was not just another large sum of assets being transferred away, but an on-chain operation that was almost completed immediately: the attacker did not use centralized exchanges or traditional mixing paths as the primary exit, but directly leveraged THORChain to quickly swap a large amount of ETH for BTC. The core of this incident, therefore, is not just the theft itself, but the fact that the hacker, within the window of disposal after the attack, almost synchronously completed the asset conversion, leaving extremely limited reaction time for tracking, intercepting, and freezing.
The most striking aspect is the oppressive feeling created by the combination of speed and volume. According to disclosures and continuous monitoring by on-chain analyst Ember (@EmberCN), the attacker has converted nearly all of the approximately 75,700 ETH into BTC through THORChain within about a day and a half; according to single-source monitoring estimates, this corresponds to a value of about 175 million USD. When an asset of this scale can traverse cross-chain liquidity networks to complete a “shell change” within a short period, the industry faces a sharper question: How should we handle this double-edged sword, where decentralized cross-chain protocols provide high-efficiency liquidity while potentially accepting hacker assets?
75,700 ETH exchanged after a day and a half
What is truly worrisome is not just how large this asset is, but how quickly it was processed. The approximately 75,700 ETH that the attacker obtained did not, like some cases familiar to the market, take a long time to dismantle, sink, and lurk before finding an exit; on the contrary, this batch of funds was pushed into cross-chain exchange processes at high intensity and continuity within about a day and a half, and according to disclosed information, it has been “almost entirely” converted into BTC.
This means that the hacker did not just make an ordinary transfer, but rather executed a clear asset track switch. While ETH remained on the original chain, tracking, marking, and coordination could still revolve around the same chain context; but once the conversion is completed through a protocol like THORChain that allows native asset cross-chain exchanges, the funds are no longer just “relocating”, but switching from one mainstream asset to another mainstream asset. For the tracking party, this is akin to the target completing a “shell change” while in motion.
Even more unusual is its rhythm. About a day and a half, about 75,700 ETH, with the target aimed directly at BTC—this combination itself indicates that the attacker did not spend time on complex preparations, but prioritized the completeness of the asset switch. The term “almost entirely” in the brief indicates that the focus of this operation was not on delay, but on rapid advancement—transforming the original chain's more easily monitored risk exposure into a holding in another mainstream chain as quickly as possible, before tracking, freezing, and coordination could gradually tighten.
From this perspective, this round of actions feels more like a race against the time window. The longer they stay, the more possibilities for on-chain analysis, project party collaboration, and external coordination increase; the faster they convert ETH into BTC, the more initiative they can secure in subsequent circulation. This is also why the most striking aspect of this incident is not “how much was transferred,” but that the attacker completed the entire switch from ETH to BTC without hesitation.
THORChain became the escape route
The reason the attacker directed the path towards THORChain is not complicated: it objectively offers a cross-chain swapping capability for native assets. For this incident, it means that the ETH in hand does not need to return to a centralized exchange for matching, nor does it need to establish the entire path based on traditional mixing tools, but can directly utilize decentralized cross-chain liquidity protocols to complete the switch from ETH to BTC.
The significance of this step lies in the simultaneous establishment of both “speed” and “dispersal.” After the attack, time itself became a cost. Instead of waiting for the reviews, risk controls, and coordination of centralized entry points, it is better to enter an executable on-chain liquidity channel directly. Within about a day and a half, approximately 75,700 ETH has been converted into BTC; according to a single-source valuation, around 175 million USD. This pace indicates that the route chosen by the attacker is not a cumbersome path requiring multiple transfers, but a sufficiently handy and efficient escape route.
However, precisely because of this, THORChain quickly became the center of controversy in this incident. It has been defined as a decentralized liquidity protocol that allows for cross-chain exchange of native assets, which for ordinary users means solving issues related to cross-chain trading and liquidity connection; but in the hands of an attacker, the same capability can be transformed into the convenience of asset transfer and money laundering. The protocol provides a tool-like capability, but who uses this capability and in what scenarios presents a sharper question.
Thus, what is truly worth discussing is not simply shifting the blame directly onto the protocol itself, but the dual effects that such decentralized liquidity infrastructure exhibit in reality: on one hand, it lowers the barrier for cross-chain exchange of native assets; on the other, it also allows hackers to quickly complete large-scale asset switching without primarily relying on centralized exchanges or traditional mixers. This is also one of the most inescapable controversies in this incident—while the protocol continuously provides liquidity, does it also objectively offer a more efficient channel for money laundering?
800 million USD transaction pushes the protocol onto the volcano’s edge
At this step, the controversy shifted from “how hackers transfer assets” to “who is absorbing this liquidity.” According to single-source monitoring data, this series of continuous conversions completed within about a day and a half not only switched nearly all of the approximately 75,700 ETH into BTC but also reportedly launched about 800 million USD in trading volume for THORChain, generating around 910,000 USD in fee revenue. The picture thus becomes extraordinarily striking: on one side, the attacker is continuously liquidating and accelerating the completion of asset reorganization; on the other, the protocol is continuously absorbing liquidity, amplifying transactions, and gaining visible income from it.
This is precisely THORChain's dual predicament in this incident. As a decentralized liquidity protocol that allows for cross-chain exchange of native assets, it is not the initiator of the event, but from the moment the on-chain path was chosen, it quickly became part of the event’s stage. The larger the transaction, the stronger its liquidity and execution capabilities; but the same “execution efficiency” also nearly synchronously pushed it into the spotlight of public opinion and regulatory scrutiny. The brief’s description is very direct: the protocol gains revenue, but is also thus placed under external scrutiny.
What is truly sharp is that this is not merely a case of stress testing, but a realistic interrogation of the boundaries of “neutral execution.” Permissionless infrastructure can insist that it merely provides matching and exchange capabilities without actively judging the source of funds; but when abnormally large funds complete cross-chain switching through such capabilities, the protocol, even if maintaining technical neutrality, can scarcely avoid reputational costs. In other words, the more efficient and open a liquidity network is, the more likely it is to accommodate the most controversial demands in extreme scenarios—and this may very well be a question that the entire industry must repeatedly face moving forward.
Rumors of freezing arise while main funds still flow out
Also because this path is sufficiently efficient, after the incident entered the public view, the market quickly turned its attention to another question: can the security response catch up? Claims around “the Arbitrum security committee froze part of the ETH” have indeed begun to circulate, but as of now, this can still only be regarded as unverified information. How much has actually been frozen, at what point in time, and how the related assets entered the so-called frozen wallet—these key details have not been publicly confirmed and cannot be restated as established facts.
The truly unavoidable main thread is that within about a day and a half, the attacker has converted almost all of the approximately 75,700 ETH into BTC via THORChain. Based on single-source valuation, the scale of this part of the asset is about 175 million USD. In other words, even if there may be local interceptions, freezes, or delays, the main narrative about the funds is not “successfully restrained,” but “has already completed the switch along the decentralized cross-chain path.” This is also the most striking part of the asset transfer and money laundering behavior after the KelpDAO attack: defenses are not entirely absent, but their effectiveness window is clearly shorter than the speed of fund migration.
The contradiction here lies precisely in that centralized security measures or governance mechanisms may be able to intercept local assets in some scenarios, but once funds no longer primarily flow to centralized exchanges or traditional mixers, and instead enter the native cross-chain exchange network directly, the difficulty of interception rapidly increases. Every time an asset completes a permissionless switch, the costs for subsequent tracking, coordination, and disposal simultaneously rise; and for the outside world, the most easily formed misunderstanding is to misinterpret “possibly frozen part” as “the situation has been brought under control.” From the known information, these two things are clearly not the same.
What needs to be more restrained is that currently, neither the KelpDAO project party, the Arbitrum security committee, nor other relevant parties have a complete, verifiable official statement or response details. Whether law enforcement has already intervened and to what extent the investigation has progressed has also not been publicly confirmed. In this information gap, any extended statements regarding the scale of freezing, execution processes, and responsibility attribution are likely to slip into speculation.
Therefore, a more accurate judgment at this stage should be: rumors of freezing can serve as an observational variable, but they cannot rewrite the main axis of the event. The axis remains that most funds have completed a rapid migration from ETH to BTC via decentralized cross-chain protocols; and this also exposes a reality—when the outflow speed of assets is fast enough to be measured by the hour, traditional security responses, even if they can play roles in the corners, find it hard to regain control of the entire funding chain’s rhythm.
On-chain detectives can track but cannot hit the pause button
In these types of events, on-chain analysts like Ember play the role of “lighting” rather than “braking.” Relying on public on-chain data, they can almost in real-time capture the movement of abnormally large funds, reconnecting migration tracks that were originally scattered across different chains and addresses and allowing the outside world to realize immediately: this is not a sporadic sell-off, but a concentrated switch of approximately 75,700 ETH to BTC completed within about a day and a half. But the problem lies precisely here—tracking can increase transparency, and alerts can compress reaction time, but publicly seeing how funds move does not mean they can be brought back, nor does it mean anyone can press the pause button on-chain.
Therefore, what this incident truly exposes may not only be a particular protocol’s failure in security aspects, but also the long-standing structural pulls within the entire DeFi infrastructure: on one side is the open liquidity network represented by THORChain, emphasizing the free cross-chain exchange of native assets; on the other side are the anti-money laundering and risk isolation pressures that immediately surface after the event occurs. When attackers do not prioritize using centralized exchanges or traditional mixers, but instead use decentralized cross-chain protocols to complete asset switching, this tension is magnified to an unavoidable degree. The protocol provides neutral liquidity tools, but in extreme scenarios, neutrality itself will be re-examined.
Next, the market truly needs to focus on only a few core questions: first, which addresses do the BTC obtained by the hackers ultimately enter, and whether they continue to be diverted, is still an information gap; second, what formal responses will the project party and related chains and security entities provide, which claims can be publicly verified and which are still mere rumors; third, whether this event will prompt regulations or law enforcement to place more intense scrutiny on cross-chain protocols. At least for now, what can be confirmed is that funds have already completed rapid migration; whether effective interception can occur thereafter is still not in the hands of on-chain detectives.
Join our community, let’s discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX Welfare Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Welfare Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
