Notorious Hackers Launder Stolen Kelp DAO Funds, Concealing $220 Million Trail in Cryptocurrency Anonymizers

Table of Contents Cybercriminals associated with North Korea’s TraderTraitor operation have successfully washed virtually all $220 million in accessible cryptocurrency stolen during the Kelp DAO security breach in April 2026. According to blockchain intelligence data from Arkham Intelligence, merely $1.7 million can still be tracked to the attackers’ original cryptocurrency wallets. Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window According to The Defiant, on-chain tracking data shows that the hackers behind the Kelp DAO bridge exploit, identified as North Korean threat group TraderTraitor, have laundered… pic.twitter.com/UlCj44BTa4 — Wu Blockchain (@WuBlockchain) June 2, 2026 The security compromise took place on April 18, 2026, when malicious actors extracted 116,500 rsETH tokens by exploiting a weakness in Kelp DAO’s LayerZero bridge configuration. Combined losses totaled approximately $292–$293 million, contributing to April’s staggering $630 million in cryptocurrency theft incidents. The money laundering process unfolded across two primary phases. Initially, perpetrators converted stolen assets to Bitcoin using the Wasabi CoinJoin tumbling service, subsequently converting them back to Ethereum before channeling through Tornado Cash. THORChain experienced abnormally elevated transaction volumes throughout this period. The pilfered cryptocurrency also passed through Umbra, a protocol designed for anonymous transactions. This multi-layered approach combining Bitcoin obfuscation tools with Ethereum privacy mechanisms created substantial obstacles for forensic investigators attempting to follow the money trail. Blockchain forensics reveal the perpetrators quickly moved over 75,000 ETH into freshly generated wallets immediately following the security breach. Subsequently, these holdings were fragmented and distributed across numerous blockchain networks and anonymization services. Cybersecurity researchers attributed the attack to TraderTraitor, alternatively identified as UNC4899. This North Korean state-sponsored threat actor has been implicated in numerous high-profile cryptocurrency heists over recent years. LayerZero issued a statement on April 20 clarifying that the vulnerability originated from Kelp DAO’s specific implementation choices. The protocol had configured a single LayerZero DVN as its exclusive verification pathway, contradicting established security recommendations against such configurations. The entire laundering operation concluded in approximately six weeks. Security analysts indicate the opportunity to recover the accessible funds has essentially expired. Arbitrum’s Security Council implemented an emergency freeze on roughly $71 million in ETH on April 21. Both a federal court directive and a community governance vote authorized transferring these assets to an Aave-managed multi-signature wallet designated for rsETH victim compensation. Nevertheless, families holding judicial awards against North Korea for terrorism-related cases have filed competing claims against these frozen assets. A judicial hearing to determine rightful ownership was scheduled for Friday in New York. The resolution of these legal proceedings remains uncertain. The $71 million in frozen cryptocurrency now constitutes the sole viable avenue for direct fund recovery. Cryptocurrency theft statistics showed dramatic improvement in May, plummeting to $68.3 million — representing nearly a 90% reduction from April’s figures, per CertiK data. Approximately $9.4 million was successfully recovered or voluntarily returned throughout May. Notwithstanding this improvement, the Kelp DAO breach triggered widespread security reassessment throughout the DeFi ecosystem. Within three weeks following the exploit, both Solv Protocol and Tydro completed migrations to Chainlink CCIP. Kelp DAO similarly transitioned its rsETH bridging operations to Chainlink CCIP, abandoning LayerZero. Kelp DAO successfully completed its user compensation program. The concluding distribution of 20,373.7 rsETH tokens was transmitted to the LayerZero smart contract as part of a five-week restitution initiative, as documented by Cointelegraph. The stolen cryptocurrency itself, nevertheless, has predominantly vanished into a sophisticated cross-chain laundering infrastructure that investigators characterize as extremely challenging to penetrate.