Kelp DAO hacker launders $220M as recovery window closes

The hacker behind the Kelp DAO bridge exploit has moved nearly all unfrozen funds through privacy channels, leaving only a small balance in the original wallets.

Summary

• Kelp DAO exploiter has laundered nearly all $220 million, leaving about $1.7M in original wallets.
• The funds moved through THORChain, Wasabi, Tornado Cash and Umbra, reducing direct tracing options now.
• Arbitrum’s $71M freeze remains the largest recoverable slice, with court claims now pending against it.

The Kelp DAO hacker has laundered about $220 million in unfrozen funds, according to on-chain data cited by The Defiant. The funds moved through THORChain, Wasabi, Tornado Cash and Umbra, making direct tracking harder for investigators.

The report described the amount moved as “nearly all” of the unfrozen funds. It also said “roughly $1.7 million” remains in the original attacker wallets. That leaves a narrow path for direct recovery of the funds that were not frozen earlier.

Exploit traced to North Korea-linked actors

The April attack drained about $292 million from Kelp DAO’s bridge. Chainalysis said the attackers released about 116,500 rsETH against a fake burn event after targeting off-chain bridge infrastructure, not Kelp DAO’s core smart contracts.

LayerZero’s incident report linked the attack to TraderTraitor, a North Korea-linked group also tracked as UNC4899 and part of the wider Lazarus ecosystem. The same wider threat network has been tied to other large crypto attacks this year.

Frozen funds remain the main recovery path

A large part of the stolen assets did not move freely after the attack. Arbitrum’s Security Council froze more than 30,000 ETH soon after the exploit, creating the main pool still within reach of a recovery process.

The Defiant reported that the frozen portion is about $71 million. That sum is now tied to legal claims in the U.S., after families with unpaid judgments against North Korea sought control of the funds. The remaining unfrozen funds have largely moved through privacy tools.

Broader hack pattern

As previously reported by crypto.news, North Korea-linked Lazarus attacks drained $577 million from Drift Protocol and KelpDAO in April. The same report said those two attacks made up 76% of all crypto theft tracked in 2026 through April.

Moreover, Radiant Capital will wind down operations after failing to recover from a $50 million exploit linked to North Korea-aligned actors, as crypto.news reported. The Radiant case showed how slow recovery, lost funding and laundering through Tornado Cash can leave a protocol with limited options.

For Kelp DAO, the latest laundering update does not close every legal or recovery route. The frozen ETH remains important. However, the unfrozen portion now appears much harder to recover through normal address-by-address tracing. The case adds pressure on bridge operators, DeFi teams and investigators to act before stolen funds enter privacy routes.