Umbra pulls hosted frontend after $800K of stolen ETH

Umbra took its hosted frontend offline after confirming about 349 ETH (roughly $800,000) of stolen funds moved through its stealth-address protocol. The hosted instance entered maintenance at 6:45 a.m. ET on April 21 while investigators traced the transfers.

Umbra posted on X that the protocol itself remains operational and that funds held in user stealth addresses were not at risk. Only the hosted frontend is offline; access will be restored once the team determines reopening will not interfere with recovery efforts.

In its post, Umbra said it is aware of 349 ETH (~$800K) moving through the protocol and called reports of larger amounts inaccurate. The message included the line: “Umbra is primarily useful for protecting the identity of the receiver, not the sender.” Umbra added it can identify the stolen funds that moved through the protocol and has been coordinating with security researchers involved in tracing the transfers.

Blockchain analysts connected the Umbra activity to laundering attempts after the KelpDAO exploit, which is attributed to North Korea’s Lazarus Group, likely the TraderTraitor subgroup. After Arbitrum’s Security Council froze about $71 million of ETH tied to the incident, the attacker began routing smaller transfers. On-chain analysts tracked a series of small ETH transfers routed through UmbraCash.

Investigators continue to trace the KelpDAO attacker and the flow of funds. The KelpDAO exploit is the largest DeFi hack reported in 2026 to date. Analysts also noted outflows from the Aave protocol in recent days.

Umbra said it will restore its hosted frontend only after confirming that reopening will not impede ongoing tracing and recovery efforts.