The hacker behind the $293 million exploit of decentralized finance protocol KelpDAO has successfully laundered the majority of the stolen funds, with only a fraction remaining frozen and tied up in legal proceedings. Blockchain investigators have tracked the movement of approximately $220 million through the cryptocurrency mixer Tornado Cash and other privacy tools, effectively ending the recovery window for the vast portion of the loot.
The attack, which occurred in April 2026, exploited a LayerZero bridge vulnerability to drain assets. The Arbitrum Security Council froze roughly $71 million worth of ETH shortly afterward, but the remaining $220 million stayed in the attackers' control. On-chain data from Arkham Intelligence and other sources shows the hackers—identified as the North Korean state-sponsored group TraderTraitor (UNC4899)—funneled the sum through a complex network including THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra. As a result, only about $1.7 million remains traceable in the original wallets.
The frozen $71 million has been transferred to a multisig wallet on Aave, and its fate now depends on a court ruling. Families with terrorism judgments against North Korea have also filed claims, complicating the outcome. KelpDAO has concluded its user remediation process and migrated rsETH bridging operations to Chainlink CCIP. The incident underscores the persistent security challenges in cross-chain infrastructure and the growing sophistication of state-backed crypto theft and laundering.
