From theft to re-entry into the market—how was $292 million "laundered"?

Author: @the_smart_ape; Translation: Peggy, BlockBeats

On April 18, Kelp DAO was attacked, and approximately $292 million in assets were stolen. So, in a fully open on-chain system, how exactly was this money gradually “washed clean,” turning into tradable assets step by step?

This article uses the incident as a starting point to break down a highly industrialized crypto money-laundering route: from preparing anonymous infrastructure before the attack, to cutting on-chain linkage by using Tornado Cash; from leveraging Aave and Compound to swap out “toxic assets” for clean liquidity, to exponentially amplifying the difficulty of tracing through THORChain, cross-chain bridges, and UTXO structures; and finally flowing into the USDT system on Tron, then being exchanged for cash in the real world via OTC networks.

Throughout the process, there are no complex black-box operations—almost every step is “following the rules.” And precisely because of that, what this route reveals is not a single-point vulnerability, but the structural tension within DeFi systems under openness, composability, and non-censurability: when the protocol design itself allows these actions to exist, “fund recovery” is no longer a technical issue, but a boundary issue of the system itself.

Therefore, the Kelp DAO incident is not only a security breach; it is also like a stress test of how the crypto world operates. It shows how hackers can turn your money into theirs—and it also shows why, in principle, it is very difficult for this system to prevent such a process from happening.

As you know, on April 18, a North Korean hacker stole $292 million from Kelp DAO. Five days later, more than half of it was already gone—fragmented and scattered across thousands of wallets. Through protocols that cannot be paused, it was exchanged and ultimately flowed to a very specific destination.

What’s interesting is this: how to turn $292 million in verifiable stolen crypto assets into cash in the pockets of Pyongyang, when no one is able to stop it.

The purpose of this article is to reveal why the full lifecycle of modern crypto money laundering works, why it is structurally impossible to stop, and what exactly each laundered dollar ultimately bought.

First stage: Preparation (hours before the attack)

The attackers did not begin with a direct theft. Lazarus’ approach always starts with infrastructure preparation.

About 10 hours before the attack, eight brand-new wallets were pre-funded via Tornado Cash—Tornado Cash is a mixer that severs the association between the source and the destination of funds.

Each wallet received 0.1 ETH, to pay the Gas fees for all subsequent operations. Because the funds in these wallets come from a mixer, there are no KYC records from exchanges, no historical trading traces, and they cannot be linked to any known entity. A clean slate.

On the eve of the attack, the attackers initiated three cross-chain transfers from the Ethereum mainnet to Avalanche and Arbitrum. The intent was obvious: to pre-fund Gas on these two L2 networks and to test bridge operations, ensuring everything ran smoothly when transferring large amounts.

Second stage: The theft

A standalone attack-initiating wallet (0x4966…575e) invoked the function named lzReceive on the LayerZero EndpointV2 contract. Because the validators had been successfully deceived, this call was treated as a legitimate cross-chain message. Kelp’s bridge contract, Kelp DAO: RSETH_OFTAdapter (Etherscan address: 0x85d…), then released 116,500 rsETH to 0x8B1.

This constituted 18% of all circulating rsETH. A single function call—gone in an instant.

Forty-six minutes later, at 18:21 UTC, Kelp’s emergency multi-signature paused the protocol. At 18:26 UTC and 18:28 UTC, the attackers again attempted two more operations in exactly the same way, each time trying to steal approximately 40,000 rsETH (about $100 million per attempt). Both transactions were rolled back because Kelp cut the power in time. If that hadn’t happened, the total stolen amount for this theft could have approached $500 million.

Third stage: Aave + Compound operations

rsETH is a receipt token. Once Kelp pauses the bridge or the stolen tokens are blacklisted, their value instantly drops to zero. The attackers only had a few minutes to convert them into assets that could not be frozen. Kelp paused the bridge 46 minutes after the theft—already too late.

Directly dumping the $292 million non-liquid restaking tokens into the public market would crush the price by more than 30% within minutes. So he didn’t choose to sell; instead, he used DeFi lending protocols as a money-laundering tool to move out quickly.

The receiving wallet, 0x8B1, dispersed the 116,500 stolen rsETH into seven other branch wallets. Each branch immediately went into Aave and Compound V3: depositing part of the rsETH as collateral, and borrowing ETH.

The cumulative positions of the seven branches are as follows:

· Collateral deposited: 89,567 rsETH

· Borrowed: approximately 82,650 WETH + 821 wstETH, totaling approximately $190 million in clean, liquid Ethereum assets

· Each branch’s health factor was set to 1.01 to 1.03—the absolute maximum allowed by the protocol before liquidation

Using this batch of rsETH, totaling $292 million, that had been tagged and was nearly impossible to liquidate, the attacker obtained $190 million worth of ETH. When the rsETH was ultimately tagged as close to zero (because Kelp’s bridge liabilities exceeded its assets and the tokens could not be redeemed), the depositors of the lending protocols bore the losses.

As the market realized that Aave held more than $200 million in bad debt, users panicked and withdrew. In 48 hours, Aave lost $8 billion in TVL (total value locked). This largest DeFi lending protocol suffered its first truly meaningful run on the bank—and the spark was that an attacker used it entirely as designed by the protocol.

Fourth stage: Consolidation and splitting of funds

After completing the Aave/Compound borrowings, the seven branch wallets pushed the borrowed ETH to a third-layer consolidation wallet (0x5d3).

At this point, the entire operation cluster clearly shows a three-layer structure:

1. Receiving: 0x8B1 (also pre-funded via Tornado Cash), receiving the original stolen 116,500 rsETH

2. Operations: seven branch wallets pre-funded via Tornado Cash, carrying out the Aave/Compound operations

3. Consolidation: 0x5d3 re-aggregating approximately 71,000 ETH in borrowed funds, routing them uniformly into the laundering process

The funds were then distributed across two chains:

· 75,700 ETH remained on the Ethereum mainnet

· 30,766 ETH on Arbitrum (approximately $71 million)

The Arbitrum security committee voted to freeze this portion of assets on Arbitrum, transferring $71 million to a governance-controlled wallet that can only be unlocked through subsequent governance.

Shortly after the freeze, the hacker immediately transferred the remaining ETH on the mainnet and accelerated the laundering process. From these actions, it is clear that he did not expect Arbitrum to take such action.

Fifth stage: First wave of money laundering

Four days after the attack, 0x5d3 began emptying out. In just a few hours, Arkham traced 3 independent transfers.

The timing was deliberately chosen: the European trading hours on Tuesday. U.S. investigators were still resting, European compliance teams were processing the backlog from Monday, and Asian exchanges were nearing closing.

Then, the transfer pattern began to spread explosively. Each first-wave destination immediately dispersed again: 0x62c7 pushed to about 60 newly generated wallets, and 0xD4B8 pushed to about 60 more. Within hours, the original orderly 10-wallet cluster expanded into 100+ one-time addresses, with parallel pre-funding to keep the amount in each address small enough to evade detection.

Lazarus ran an HD wallet script—one mnemonic phrase could, within seconds, mathematically derive thousands of brand-new addresses. Combined with a worker pool (Python + web3, ethers.js, or their own internal tools), they signed and broadcast the entire address tree in parallel. This code had been iterated since 2018.

By the end of this stage, the linearly traceable chain had already disappeared. The operation cluster of 10 wallets exploded into more than 100 fragmented wallets, and the funds entered privacy tracks from dozens of independent entry points at the same time.

Sixth stage: THORChain—the escape machine

The real point of rupture happened at THORChain.

THORChain is a decentralized protocol that supports cross-chain native asset swaps. If you send ETH on Ethereum, it gives you BTC on the Bitcoin network.

Only on April 22 alone, THORChain’s 24-hour exchange volume reached $460 million. The protocol’s normal daily trading volume is about $15 million. This hack attack took up 30 times the protocol’s normal usage in a single day.

Within the same 24-hour window, the protocol generated total revenue of $494,000, which was split among bonders (node operators), liquidity providers, the development fund, ecosystem integration parties, and the marketing fund.

Meanwhile, the funds also flowed in parallel through a set of smaller but complementary privacy routes:

· Umbra: a stealth address protocol on Ethereum. It allows sending funds to one-time addresses; only the receiving party can compute the destination address via a shared key. On-chain observers have no way of knowing the true destination. Approximately $78,000 of initial activity was traced here, and then the tool lost its trail.

· Chainflip: another cross-chain DEX, with a pattern similar to THORChain.

· BitTorrent Chain: a low-cost, low-regulation sidechain connected to Tron.

· Tornado Cash: the same mixer used for the initial Gas pre-funding. The U.S. Department of the Treasury listed it as a sanctioned entity in 2022.

Every time the funds pass through one layer of protocol, the cost of tracing increases by about 10 times. After 5 layers, although investigators in theory could still trace every fragment, the economic cost would exceed the value that could be recovered.

Seventh stage: Bitcoin UTXO fragmentation

By completing the swap from ETH to BTC via THORChain, it’s essentially turning money into confetti.

Ethereum uses an account model: your balance is a number attached to an address—simple and direct. Bitcoin is different: it uses a UTXO (unspent transaction output) model. Every UTXO is a specific block of coins with a complete transaction history. Each time you spend Bitcoin, these blocks get split and recombined to form new blocks.

Imagine ripping a $100 bill into 87 pieces, then tearing each piece into another 87 pieces, and repeating this process 7 times. Technically, each fragment can be traced back to the original bill. In practice, no forensic team can track thousands of parallel chains in real time and, within a sufficient timeframe, reconstruct the full picture and take action.

Therefore, THORChain did two things at the same time: it moved the funds across a boundary that no sanctions can cross, and it fragmented the funds into dust that cannot be traced.

Eighth stage: The Tron USDT track

After the Bitcoin and privacy layers, the funds converge again to the same endpoint: USDT on Tron.

Most people think the main battlefield for money laundering is BTC, but that’s wrong. The true main battlefield is USDT on Tron. Data shows that illegal crypto asset transaction volume carried by USDT-Tron ranks first every year, exceeding the total of all other chains.

In this Kelp fund flow, the specific path was: bridge from BTC to Tron, swap for USDT, then transfer it multiple times between Tron addresses. Each hop on Tron is extremely cheap—just a few cents—allowing another 10 layers of fragmentation to be stacked.

Ninth stage: Cashing out—crypto becomes cash

At the endpoint of every hacker attack, the funds are turned into fiat cash through a specific, verifiable network of human intermediaries.

A group of OTC brokers active in mainland China and Southeast Asia receives USDT-Tron deposits and settles in local-currency cash. These brokers are essentially unlicensed underground money service operators. They consolidate fund flows from multiple clients (both compliant and non-compliant), net them out internally, and settle in fiat currency through China’s domestic payment network (UnionPay). UnionPay operates completely outside the SWIFT system and the scope of Western sanctions enforcement.

From accounts controlled by these brokers, the funds flow into bank accounts controlled by North Korea—typically held under the names of shell companies registered in Hong Kong, Macau, or third-party jurisdictions. Then, from these accounts, the funds are sent back to Pyongyang through Hawala-style informal settlement, physical cash transfers, and purchasing-front companies, among other methods.

The UN Security Council, the FBI, and the U.S. Department of the Treasury have all independently recorded the ultimate destinations of this batch of funds. North Korea’s ballistic missile program, nuclear weapons development, and evasion of international sanctions all rely on the continuous support of such fund flows.

A 2024 UN report estimates that crypto hacking attacks account for about 50% of North Korea’s total foreign exchange income, making it the primary source of funding for North Korea’s weapon programs—more than the total of coal exports, arms sales, and labor exports.