The Kelp DAO hacker has basically completed money laundering; about $220 million in unfrozen funds is almost entirely out of the tracking scope.

Mars Finance News reported that on June 2, of the approximately $292 million in assets stolen during the April Kelp DAO cross-chain bridge attack, aside from about $71 million worth of ETH that has been frozen, the remaining approximately $220 million has essentially been fully laundered, and the attacker’s original address now holds only about $1.7 million in assets. On-chain analysis shows that the attacker completed multiple rounds of cross-chain transfers and mixing operations using privacy tools such as THORChain, Wasabi, Tornado Cash, and Umbra, causing most of the funds to become largely untraceable.

Investigative agencies previously attributed this attack to the North Korean hacker group Lazarus Group (TraderTraitor/UNC4899). One day after the attack, the hacker split approximately 75,700 ETH (then worth about $175 million) into multiple new addresses, cross-chained to the Bitcoin network via THORChain, and then used tools such as Wasabi CoinJoin and Tornado Cash to mix the funds. During this period, related fund flows at one point drove THORChain’s daily trading volume to $394 million, more than ten times the normal level.

At present, the only assets that still have a relatively high likelihood of being recovered are approximately 30,766 ETH (about $71 million) frozen by the Arbitrum Security Council. However, this portion of the assets has been pulled into a new legal dispute: the U.S. federal court for the Southern District of New York had previously issued a restraining order requiring a temporary freeze of the related funds, because some families of victims of North Korean terrorism are seeking, through legal proceedings, to apply for the forfeiture of this batch of assets in order to enforce compensation judgments.