Kelp DAO Hacker Launders Nearly All $220M in Unfrozen Funds

Highlights:

• Kelp DAO’s recovery hopes narrowed after the hacker moved most of the unfrozen stolen funds.
• Arbitrum froze $71 million in Ether, now the main recoverable part of the exploit.
• Attackers used THORChain, Wasabi, Tornado Cash, and Umbra to hide fund movements.

The Kelp DAO bridge hacker has laundered nearly all of the roughly $220 million in unfrozen funds left from April’s $292 million LayerZero exploit. Arkham Intelligence data show that the original attacker’s wallet holds only about $1.7 million.

Advertisement

The attacker moved the funds through several privacy and cross-chain tools, including THORChain, Wasabi, Tornado Cash, and Umbra. These tools can make stolen crypto harder to trace because they break the clear link between the original wallet and later wallets. 

Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window

According to The Defiant, on-chain tracking data shows that the hackers behind the Kelp DAO bridge exploit, identified as North Korean threat group TraderTraitor, have laundered… pic.twitter.com/UlCj44BTa4

— Wu Blockchain (@WuBlockchain) June 2, 2026

The exploit first hit Kelp DAO’s bridge in April. The total loss stood at about $292 million. However, Arbitrum’s Security Council froze around $71 million in Ether on April 20. That frozen amount now appears to be the only major part of the stolen funds that may still be recoverable through legal or governance action.

Hacker Moved Funds Through Privacy Tools

The laundering started on April 21, one day after Arbitrum froze part of the stolen assets. The exploiter wallet moved 75,701 Ether, worth about $175 million at the time, into newly created Ethereum wallets. Arkham Intelligence tracked these transfers across three transactions.

After that, the funds moved through a wider laundering path. Some funds went through THORChain, while other transfers used Umbra. THORChain’s 24-hour swap volume also jumped sharply during the activity, reaching $394 million, more than ten times its usual daily level.

The report also said the attacker used a two-layer process. Ether was first moved into Bitcoin through the Wasabi CoinJoin mixer. Later, some funds returned to Ethereum through Tornado Cash deposit and withdrawal rounds. Security firms PeckShield and Cyvers estimated that around $176 million moved through the THORChain, Umbra, and BitTorrent route during the first wave.

LayerZero’s May 18 incident report, prepared with Mandiant, CrowdStrike, and zeroShadow, linked the attack to DPRK actor TraderTraitor. The group is also tracked as UNC4899 and is considered part of the wider Lazarus Group. The same group was also linked to another major crypto theft that week.

Only Frozen Funds Remain Within Reach

The $71 million frozen by Arbitrum remains the main recoverable amount. However, that money is also facing legal pressure. The U.S. District Court issued a restraining order on May 1, stopping Arbitrum DAO from moving the same 30,766 Ether. Families with unpaid terrorism judgments against North Korea have filed for forfeiture against the frozen funds.

Kelp DAO has already handled user-level recovery separately. The protocol reopened full rsETH functionality in late May after the DeFi United consortium completed its rsETH restoration program. The consortium included Aave, Kelp Karak, and EigenLayer. The report said around 116,000 rsETH was restored to users.

For Kelp DAO, the focus has now shifted from tracking the unfrozen funds to the legal and recovery process around the frozen Ether.

Advertisement