The hacker behind the $292 million Kelp DAO bridge exploit has successfully laundered nearly all unfrozen funds through a sophisticated chain of crypto mixers and cross-chain bridges, destroying recovery prospects for $220 million of the stolen haul.
On-chain data tracked by Arkham Intelligence reveals that approximately $220 million has moved through privacy protocols including THORChain, Wasabi Wallet, Tornado Cash and Umbra over the past 45 days. Just $1.7 million remains in the original attacker wallets — a fraction that narrows the already slim path for direct asset recovery.
## How the Laundering Worked
Blockchain analysts tracing the funds describe a multi-layered washing strategy designed to sever the link between stolen assets and the attacker’s final holdings.
The funds moved in two distinct layers. First, the hacker bridged stolen Ether to Bitcoin using Wasabi Wallet, a privacy-focused coin mixer. From there, the funds returned to Ethereum before being cycled through Tornado Cash, the infamous Ethereum mixing protocol that has been under U.S. sanctions since 2022. The attacker also used Umbra, a stealth address protocol, to further obscure transaction trails.
On-chain analyst Specter detailed the laundering path, showing how each hop made tracing exponentially harder for investigators.
The attacker completed the full laundering cycle in 45 days — a pace that shows operational sophistication consistent with state-backed threat actors who have refined their money movement playbook through years of practice.
## North Korea’s TraderTraitor Group Tied to Exploit
The April 18 attack drained roughly $292 million from Kelp DAO’s cross-chain bridge. Chainalysis determined the attackers exploited off-chain bridge infrastructure rather than Kelp DAO’s core smart contracts, initiating a fake burn event that released approximately 116,500 rsETH.
LayerZero’s incident report tied the attack to TraderTraitor, a North Korea-linked threat group also tracked as UNC4899. The group operates within the broader Lazarus ecosystem, which the U.N. has previously estimated steals between $1 billion and $2 billion annually to fund the Kim regime’s weapons programs.
The same threat network has been linked to other major crypto attacks this year, including the $577 million Drift Protocol drain in April. Combined, the Drift Protocol and KelpDAO attacks made up 76% of all crypto theft tracked in 2026 through April, according to Chainalysis data.
## Only Frozen Funds Remain Recoverable
The one bright spot in an otherwise bleak recovery picture involves funds that were frozen before the hacker could move them.
Arbitrum’s Security Council acted quickly after the exploit, freezing more than 30,000 ETH — worth approximately $71 million at current prices — before the attacker could shift those assets through mixers. That frozen pool represents the largest recoverable tranche from the entire heist.
However, the path to recovery for even those frozen funds has become entangled in U.S. legal proceedings. The Defiant reports that families holding unpaid civil judgments against North Korea have filed court claims seeking control of the frozen assets, complicating Kelp DAO’s efforts to reclaim them.
## A Growing Pattern
The Kelp DAO case fits a troubling pattern for DeFi in 2026. North Korea-linked attacks have become the dominant force in crypto crime this year, with Lazarus-affiliated groups draining over $1.5 billion from protocols across multiple chains.
Radiant Capital provides a cautionary parallel. The lending protocol announced it would wind down operations after failing to recover from a $50 million exploit linked to North Korean actors. The Radiant case showed how slow recovery efforts, loss of user confidence, and laundering through Tornado Cash can leave even established protocols with no viable path forward.
For Kelp DAO, the laundering update does not entirely close every legal or recovery avenue. The frozen ETH on Arbitrum remains a potential source of restitution. But the unfrozen portion — more than three-quarters of the total stolen — is now beyond reach through conventional on-chain tracing.
## Industry Implications
The speed and sophistication of the Kelp DAO laundering operation has renewed calls for faster incident response mechanisms in DeFi. Critics argue that the window between exploit detection and fund laundering is shrinking, and that current security council and multisig response times may be insufficient.
Some have pointed to real-time chain monitoring and automated freeze mechanisms as potential solutions, though these raise centralization concerns in an industry built on permissionless principles.
The case also highlights the limitations of sanctions against mixing protocols. Despite Tornado Cash being under U.S. Office of Foreign Assets Control sanctions since August 2022, the protocol continues to process billions in flows, including the Kelp DAO proceeds. Enforcement against individual developers has not meaningfully disrupted the protocol’s smart contracts, which remain operational on-chain.
For DeFi users and protocol operators, the Kelp DAO case drives home a sobering reality: once stolen funds enter privacy channels, recovery is virtually impossible. The race is now on to freeze first and ask questions later.
## FAQ
### How did the Kelp DAO hacker launder $220 million?
The hacker used a two-layer strategy: bridging Ether to Bitcoin through Wasabi Wallet, then returning to Ethereum and cycling funds through Tornado Cash and Umbra. This chain of mixers and cross-chain bridges made the funds effectively untraceable.
### How much of the stolen Kelp DAO funds can still be recovered?
Only the approximately $71 million in ETH frozen by Arbitrum’s Security Council shortly after the exploit remains realistically recoverable. The unfrozen $220 million has been laundered through privacy protocols with just $1.7 million still in the original attacker wallets.
### Who is behind the Kelp DAO hack?
LayerZero’s incident report and Chainalysis both attribute the attack to TraderTraitor, a North Korea-linked threat group operating within the Lazarus ecosystem. The same group has been tied to other major crypto exploits in 2026.
—
*Sources: crypto.news, The Defiant, Crypto Times, Arkham Intelligence, Chainalysis, LayerZero*
