From theft to re-entering the market, how was $292 million "laundered"?

Original Title: Where did the Kelp $292m go? Anatomy of a $292m Laundering
Original Author: @the_smart_ape
Compiled by: Peggy, BlockBeats

Original Author: Rhythm BlockBeats

Original Source:

Repost: Mars Finance

Editor’s Note: On April 18, Kelp DAO was attacked, with approximately $292 million stolen. So, in a fully transparent on-chain system, how exactly did this money get “washed clean” step by step and become circulating assets?

This article uses this incident as a starting point to dissect a highly industrialized crypto money laundering path: from infrastructure preparation before the attack, to cutting off on-chain links via Tornado Cash; from leveraging Aave and Compound to mortgage “toxic assets” and extract clean liquidity, to exponentially increasing traceability difficulty through THORChain, cross-chain bridges, and UTXO structures, ultimately flowing into the USDT system on Tron, and exchanged for real-world cash off-chain.

In this process, there are no complex black-box operations; almost every step is “by the rules.” It is precisely because of this that the path revealed is not about a single point of vulnerability, but about the systemic tension under the openness, composability, and non-censurability of DeFi—when protocol design itself allows these operations, “fund recovery” is no longer a technical issue but a boundary issue of the system.

The Kelp DAO incident is thus not just a security accident but more like a stress test of the operational logic of the crypto world: it shows how hackers can turn your money into their money, and why, in principle, it is very difficult for this system to prevent such processes from happening.

As you know, on April 18, a North Korean hacker stole $292 million from Kelp DAO. Five days later, more than half of it had already disappeared, fragmented across thousands of wallets, exchanged via protocols that cannot be paused, and finally flowed into a very specific destination.

The interesting part is: how does a verifiable stolen crypto asset of $292 million, with no one able to stop it, turn into cash in Pyongyang’s pockets?

The purpose of this article is to reveal why the modern crypto money laundering process operates the way it does, why it is structurally unstoppable, and what each dollar washed actually buys.

Phase One: Layout (Hours before the attack)

Attackers did not start with direct theft. Lazarus Group’s approach always begins with infrastructure preparation.

About 10 hours before the attack, eight brand-new wallets pre-funded via Tornado Cash—Tornado Cash is a mixer that cuts the link between source and destination of funds.

Each wallet received 0.1 ETH, used to pay for subsequent gas fees. Since these wallets’ funds came from a mixer, with no KYC records or transaction history, they cannot be linked to any known entity. A clean slate.

On the eve of the attack, the attacker made three cross-chain transfers from the Ethereum mainnet to Avalanche and Arbitrum—clearly to pre-fund gas on these two L2s and test cross-chain operations, ensuring smooth large transfers.

Phase Two: Theft

An independent attack wallet (0x4966…575e) called