
'Mysterious' 300,000 XRP Users: Who Are They and Why Does XRP Ledger Look Unnatural
XRP Ledger sees a mysterious spike of 300,000 new users, raising suspicions.

The attacker of the Kelp DAO exploit has moved approximately $175 million in Ether across multiple transactions to newly created addresses, likely to launder the stolen funds. This follows a significant exploit where around $290 million was drained from Kelp DAO's LayerZero-powered bridge.
Mentioned in this story
The attacker behind the roughly $290 million Kelp DAO exploit began moving tens of thousands of Ether to newly created blockchain addresses on Tuesday, in an apparent effort to start laundering the stolen funds.
The wallet tagged by Arkham as linked to the Kelp DAO exploit moved about 75,700 Ether (ETH) worth roughly $175 million across three transactions on Tuesday, including a 25,000 ETH transfer to one newly created address and transfers of 50,700 ETH and 0.7 ETH to another.
Blockchain investigator ZachXBT wrote in a Tuesday Telegram post that addresses tied to the exploit had begun moving funds through THORChain and Umbra. He flagged three THORChain transactions totaling about $1.5 million and a separate $78,000 transfer through Umbra.
On Saturday, an attacker drained about 116,500 restaked Ether (rsETH), worth roughly $290 million to $293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge.
LayerZero said Kelp DAO’s 1/1 decentralized verifier network (DVN) setup created a single point of failure by relying on a single verifier path for cross-chain messages. LayerZero said it had previously advised against that configuration.
The transfers came hours after Arbitrum said its 12-member security council had taken emergency action to freeze 30,766 ETH tied to the exploit and move the funds into an “intermediary frozen wallet” accessible only through Arbitrum governance.

Kelp DAO Attacker-tagged wallet, latest transactions. Source: Arkham
The exploit also hit other DeFi protocols, including Aave, where the attacker used the against the protocol. Early estimates put the hole at about $195 million, but Aave’s April 20 incident report later : roughly $123.7 million in bad debt under one scenario and about $230.1 million under another.
The Kelp DAO attacker moved about 75,700 Ether, worth roughly $175 million.
The total amount stolen in the Kelp DAO exploit was approximately $290 million.
LayerZero identified that Kelp DAO's decentralized verifier network created a single point of failure by relying on a single verifier path for cross-chain messages.

XRP Ledger sees a mysterious spike of 300,000 new users, raising suspicions.

Cardano's Charles Hoskinson audits 11,000 DAOs to address governance by 2027.

Bitcoin rebounds to over $74K as total crypto market cap rises by $80 billion.

Wietse Wind warns XRP community about rising scams targeting Xaman wallet users.

Bank of America increases Bitcoin stake while tripling Ethereum and Solana exposure.

Latest on Pi Network: Token price stabilizes at $0.15 amid update delays.
See every story in Crypto — including breaking news and analysis.
The transfers suggest the attackers had begun moving funds through non-custodial protocols that can complicate tracing and recovery. THORChain does not require traditional Know Your Customer checks.
During the $1.4 billion Bybit hack, attackers converted about 83% of the stolen Ether into Bitcoin (BTC), with 72% of the funds moving through THORChain, according to Bybit CEO Ben Zhou. Zhou said at the time that 77% of the stolen funds were still traceable, meaning the flows were not fully untraceable.
On Tuesday, Aave said it had unfrozen Wrapped Ether (WETH) reserves on the Ethereum Core V3 market, enabling users to supply WETH to the V3 lending protocol once again. However, WETH reserves across Ethereum Prime, Arbitrum, Base, Mantle and Linea remain frozen.

Source: Julio Moreno
Meanwhile, the thinning liquidity saw Aave’s borrowing rates for USDt (USDT) rise from 3% to 14%, marking the highest figures since December 2024, wrote Julio Moreno, the head of research at analytics platform CryptoQuant, in a Monday X post.
Fears over a potential contagion caused significant outflows from Aave, as its total value locked (TVL) fell by about $10 billion since the exploit to $16.4 billion as of Tuesday, DeFiLlama data shows.