TLDR
- North Korea’s TraderTraitor group laundered nearly all of the $220M in unfrozen funds stolen from Kelp DAO in April 2026
- Only $1.7M remains traceable in the original hacker wallets
- Funds were moved through THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra
- $71M frozen by Arbitrum’s Security Council remains tied up in legal proceedings
- Kelp DAO completed user remediation and migrated to Chainlink CCIP
North Korean hackers linked to the TraderTraitor group have laundered nearly all of the $220 million in unfrozen funds stolen from Kelp DAO in April 2026. Blockchain data from Arkham Intelligence shows just $1.7 million remains traceable in the original wallets.
Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window
According to The Defiant, on-chain tracking data shows that the hackers behind the Kelp DAO bridge exploit, identified as North Korean threat group TraderTraitor, have laundered… pic.twitter.com/UlCj44BTa4
— Wu Blockchain (@WuBlockchain) June 2, 2026
The exploit occurred on April 18, 2026, when attackers drained 116,500 rsETH tokens through a vulnerability in Kelp DAO’s LayerZero bridge setup. Total losses reached roughly $292–$293 million, pushing April’s total crypto hack losses to $630 million.
The laundering happened in two main stages. Attackers first bridged funds to Bitcoin using the Wasabi CoinJoin mixing service, then returned them to Ethereum before routing through Tornado Cash. THORChain also processed unusually high volumes during the operation.
The stolen assets were also moved through Umbra, a privacy-focused payment protocol. The combination of Bitcoin mixing and Ethereum privacy tools made tracking the funds extremely difficult for investigators.
How Attackers Moved the Funds
On-chain data shows the attackers transferred more than 75,000 ETH into newly created wallets shortly after the exploit. From there, funds were split and routed across multiple chains and privacy services.
Blockchain investigators linked the attack to TraderTraitor, also known as UNC4899. This North Korean cyber group has been connected to several major crypto thefts in recent years.
LayerZero said on April 20 that the exploit stemmed from a flaw in Kelp DAO’s own setup. The protocol had used a single LayerZero DVN as its only verified path, despite prior warnings against that configuration.
The laundering was completed in roughly six weeks. Analysts say the recovery window for the unfrozen funds has now effectively closed.
What Happens to the Frozen $71M
Arbitrum’s Security Council froze approximately $71 million in ETH on April 21. A US court order and a governance proposal both approved moving those funds to an Aave-controlled multi-signature wallet for the rsETH recovery effort.
However, families holding terrorism judgments against North Korea have also filed claims on those frozen funds. A hearing on ownership was scheduled for Friday in New York.
The outcome of that legal process remains unclear. The $71 million freeze now represents the only remaining direct recovery path.
Crypto hack losses fell sharply in May, dropping to $68.3 million — a near 90% decline from April, according to CertiK. About $9.4 million was recovered or returned during May.
Despite the drop, the Kelp DAO incident prompted wider concern across DeFi. Within three weeks of the exploit, Solv Protocol and Tydro both migrated to Chainlink CCIP. Kelp DAO also moved its rsETH bridging infrastructure to Chainlink CCIP, away from LayerZero.
Kelp DAO finalized its user remediation process. The final tranche of 20,373.7 rsETH tokens was sent to the LayerZero smart contract as part of a five-week recovery effort, Cointelegraph reported.
The stolen funds themselves, however, have largely disappeared into a cross-chain laundering network that investigators say is now very difficult to unwind.
Be the first to comment