TLDR:
- The Kelp DAO Hacker moved nearly $220 million through privacy tools, limiting direct recovery efforts.
- Only about $1.7 million remains in original wallets after extensive cross-chain laundering activity.
- Arbitrum’s frozen 30,766 ETH worth $71 million remains the largest recoverable asset pool.
- Investigators linked the exploit to TraderTraitor, a DPRK-backed group tied to Lazarus operations.
Kelp DAO Hacker has laundered nearly all of the approximately $220 million in unfrozen funds linked to April’s bridge exploit, according to on-chain tracking data cited by The Defiant.
Analysts report that only about $1.7 million remains in the original exploiter wallets. The movement of funds through several privacy-focused services has narrowed the possibility of tracing individual transactions.
While some assets remain frozen, the bulk of the unfrozen funds has now moved beyond direct recovery efforts.
Kelp DAO Hacker Moves Funds Through Privacy Networks
The Kelp DAO Hacker began shifting funds shortly after Arbitrum’s Security Council froze part of the stolen assets on April 20.
According to Arkham Intelligence data, the attacker transferred 75,701 ETH, valued at about $175 million, into newly created Ethereum addresses on April 21.
The transfers were divided across three wallets. Around 50,700 ETH moved into two addresses, while another 25,000 ETH was sent to a third wallet. These transfers marked the beginning of a broader laundering operation.
On-chain investigator ZachXBT reported the first cross-chain transactions the same day. His findings showed three THORChain transfers totaling about $1.5 million. He also identified a separate transfer worth roughly $78,000 through Ethereum privacy protocol Umbra.
As the activity accelerated, THORChain experienced an unusual rise in trading volume. Daily swap volume reached approximately $394 million, more than ten times its normal level.
Security firms PeckShield and Cyvers estimated that around $176 million passed through a network involving THORChain, Umbra, and BitTorrent during the initial phase.
The laundering pattern later became clearer through additional tracking. On-chain analyst Specter described a process that moved Ether into Bitcoin using Wasabi CoinJoin. The funds were then routed back into Ethereum through Tornado Cash deposit and withdrawal cycles.
Cyvers also noted that the attacker’s transaction fees were prepared in advance. The exploiter wallet received funding through Tornado Cash roughly ten hours before the bridge attack.
Investigators identified this setup as a method previously associated with the North Korean-linked TraderTraitor group.
Recovery Prospects Narrow as Frozen Assets Remain Contested
The Kelp DAO Hacker’s remaining recoverable assets are largely tied to the 30,766 ETH frozen by Arbitrum. Those holdings are valued at approximately $71 million and remain subject to legal proceedings.
On May 1, the U.S. District Court for the Southern District of New York issued a restraining order covering the frozen assets. The order followed a forfeiture filing by families holding unpaid terrorism judgments against North Korea totaling more than $877 million.
Separately, user remediation efforts progressed through protocol-level measures. Kelp restored rsETH functionality after implementing a recovery plan with the DeFi United consortium. Participants included Aave, Karak, EigenLayer, and Kelp.
The recovery program restored roughly 116,000 rsETH to affected users. Meanwhile, the approximately $190 million in bad debt created through the attacker’s use of stolen rsETH collateral was absorbed largely through Aave’s safety module.
LayerZero’s incident report, published on May 18 with support from Mandiant, CrowdStrike, and zeroShadow, attributed the exploit to TraderTraitor.
The group, also known as UNC4899, is linked to the broader Lazarus Group. With nearly all unfrozen funds now laundered, the remaining recovery focus centers on frozen assets and enforcement actions rather than direct wallet tracing.
The post Kelp DAO Hacker Launders $220M, Leaving Only Frozen Assets Within Reach appeared first on Blockonomi.
Â
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.