TLDR
- Kelp DAO hacker moved most unfrozen funds through mixers, leaving recovery teams few direct targets.
- Arkham tracked about $1.7 million still parked in the original wallet after laundering waves ended.
- Arbitrum’s $71 million ether freeze remains the main recoverable amount, but court claims continue now.
- LayerZero report linked the exploit to TraderTraitor, a DPRK group associated with Lazarus activity networks.
- Kelp restored rsETH functions through DeFi United, while asset tracing became less useful for recovery.
The Kelp DAO hacker has moved nearly all $220 million in unfrozen exploit funds through privacy tools, leaving recovery teams with little to chase. With only about $1.7 million still in the original wallet and $71 million frozen under dispute, the case shows how fast stolen crypto can vanish across chains and mixers.
Laundering Leaves Few Funds in Original Wallet
The Kelp DAO hacker has laundered nearly all $220 million in unfrozen funds from April’s bridge exploit. On-chain analysts now track about $1.7 million in the original exploiter wallet. The remaining funds moved through several privacy tools and cross-chain routes.
The exploit involved about $292 million in assets linked to Kelp DAO and LayerZero bridging. Arbitrum’s Security Council froze 30,766 ETH on April 20. That amount was worth about $71 million at the time, and it remains the main recoverable portion.
Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window
According to The Defiant, on-chain tracking data shows that the hackers behind the Kelp DAO bridge exploit, identified as North Korean threat group TraderTraitor, have laundered… pic.twitter.com/UlCj44BTa4
— Wu Blockchain (@WuBlockchain) June 2, 2026
Arkham Intelligence tracked the early fund movement after the freeze. The attacker sent 75,701 ETH into newly created Ethereum wallets. Two wallets received 50,700 ETH, while another received 25,000 ETH.
Funds Passed Through Privacy Protocols
The laundering trail moved through THORChain, Umbra, Wasabi, and Tornado Cash. On-chain investigator ZachXBT flagged early cross-chain activity on April 21. The reported moves included three THORChain transactions and one Umbra transfer.
Analyst Specter later described a two-step pattern. Ether moved to Bitcoin through the Wasabi CoinJoin mixer. Funds then returned to Ethereum through Tornado Cash deposit and withdrawal rounds.
Security firms PeckShield and Cyvers estimated that about $176 million moved during the first laundering wave. THORChain activity also rose during that period. Its 24-hour swap volume reportedly reached $394 million, far above normal daily levels.
Cyvers also reported that the attacker’s first gas came from Tornado Cash. That transfer happened about ten hours before the bridge drain. The setup matched patterns linked to TraderTraitor, according to the reported findings.
Frozen Ether Faces Legal Dispute
LayerZero’s May 18 incident report attributed the attack to TraderTraitor. The report was prepared with Mandiant, CrowdStrike, and zeroShadow. TraderTraitor is also tracked as UNC4899 and linked to the broader Lazarus Group.
The frozen ether is now part of a legal dispute in New York. A U.S. District Court issued a restraining order on May 1. The order barred Arbitrum DAO from moving the same 30,766 ETH.
The order followed claims from families with unpaid terrorism judgments against North Korea. Their judgments total more than $877 million, according to the filing. They are seeking forfeiture of the frozen ether.
Kelp DAO handled user recovery through a separate process. The protocol reopened rsETH functions after the DeFi United restoration plan. The group involved Aave, Karak, EigenLayer, and Kelp DAO.
The plan restored about 116,000 rsETH to users. Aave absorbed most of the related bad debt through its safety module. The unfrozen $220 million is now largely beyond direct asset recovery.
