Cryptocurrency Thief Makes Off with Staggering Nine-Figure Sum, Authorities Left to Chase Frozen Remainder

Table of Contents Kelp DAO Hacker has laundered nearly all of the approximately $220 million in unfrozen funds linked to April’s bridge exploit, according to on-chain tracking data cited by The Defiant. Analysts report that only about $1.7 million remains in the original exploiter wallets. The movement of funds through several privacy-focused services has narrowed the possibility of tracing individual transactions. While some assets remain frozen, the bulk of the unfrozen funds has now moved beyond direct recovery efforts. The Kelp DAO Hacker began shifting funds shortly after Arbitrum’s Security Council froze part of the stolen assets on April 20. According to Arkham Intelligence data, the attacker transferred 75,701 ETH, valued at about $175 million, into newly created Ethereum addresses on April 21. The transfers were divided across three wallets. Around 50,700 ETH moved into two addresses, while another 25,000 ETH was sent to a third wallet. These transfers marked the beginning of a broader laundering operation. On-chain investigator ZachXBT reported the first cross-chain transactions the same day. His findings showed three THORChain transfers totaling about $1.5 million. He also identified a separate transfer worth roughly $78,000 through Ethereum privacy protocol Umbra. As the activity accelerated, THORChain experienced an unusual rise in trading volume. Daily swap volume reached approximately $394 million, more than ten times its normal level. Security firms PeckShield and Cyvers estimated that around $176 million passed through a network involving THORChain, Umbra, and BitTorrent during the initial phase. The laundering pattern later became clearer through additional tracking. On-chain analyst Specter described a process that moved Ether into Bitcoin using Wasabi CoinJoin. The funds were then routed back into Ethereum through Tornado Cash deposit and withdrawal cycles. Cyvers also noted that the attacker’s transaction fees were prepared in advance. The exploiter wallet received funding through Tornado Cash roughly ten hours before the bridge attack. Investigators identified this setup as a method previously associated with the North Korean-linked TraderTraitor group. The Kelp DAO Hacker’s remaining recoverable assets are largely tied to the 30,766 ETH frozen by Arbitrum. Those holdings are valued at approximately $71 million and remain subject to legal proceedings. On May 1, the U.S. District Court for the Southern District of New York issued a restraining order covering the frozen assets. The order followed a forfeiture filing by families holding unpaid terrorism judgments against North Korea totaling more than $877 million. Separately, user remediation efforts progressed through protocol-level measures. Kelp restored rsETH functionality after implementing a recovery plan with the DeFi United consortium. Participants included Aave, Karak, EigenLayer, and Kelp. The recovery program restored roughly 116,000 rsETH to affected users. Meanwhile, the approximately $190 million in bad debt created through the attacker’s use of stolen rsETH collateral was absorbed largely through Aave’s safety module. LayerZero’s incident report, published on May 18 with support from Mandiant, CrowdStrike, and zeroShadow, attributed the exploit to TraderTraitor. The group, also known as UNC4899, is linked to the broader Lazarus Group. With nearly all unfrozen funds now laundered, the remaining recovery focus centers on frozen assets and enforcement actions rather than direct wallet tracing.