Cryip preferred on 
The attacker behind the massive Kelp DAO bridge exploit has successfully laundered roughly $220 million of the stolen funds in just 45 days, effectively destroying any realistic hopes of recovering the unfrozen portion of the haul.
On-chain intelligence firms now report that roughly $220 million of the approximately $292 million stolen in the April 18 incident has been moved through advanced cross-chain privacy tools. Only around $1.7 million remains visibly linked to the original exploiter wallets, effectively closing the window for meaningful asset tracing on that slice of the haul.
The operation stands out not just for its scale but for the speed and sophistication with which the funds were dispersed. Security researchers continue to attribute the attack with high confidence to TraderTraitor, a subgroup under North Korea’s Lazarus ecosystem, the same actors linked to several other high-value exploits this year.
Anatomy of the Laundering Trail
Following the initial exploit, which targeted a weakened 1-of-1 verifier setup on Kelp DAO’s LayerZero-powered bridge, the attacker wasted little time. After Arbitrum’s Security Council took the unusual step of freezing $71 million worth of ETH shortly after the hack, the remaining funds were funneled aggressively into privacy infrastructure.
Analysts tracked large transfers, including a notable $175 million move across three fresh Ethereum wallets, followed by heavy usage of:
- THORChain for swapping into Bitcoin
- Wasabi CoinJoin for Bitcoin-level privacy
- Tornado Cash for Ethereum mixing cycles
- Umbra and other obfuscation protocols
This multi-layered approach caused temporary spikes in volume on these platforms and highlights how state-linked actors are increasingly comfortable operating across chains to evade detection.
The $71 million still frozen on Arbitrum remains the only significant recoverable amount, though even that faces complications from ongoing legal claims, including forfeiture actions tied to prior judgments against North Korean entities.
Protocol Recovery vs On-Chain Reality
While the laundering arc appears largely complete for the unfrozen funds, Kelp DAO and its partners moved quickly on the protocol side. Through a coordinated effort dubbed “DeFi United,” involving Aave, EigenLayer, Karak, and others, the team restored the majority of user rsETH positions. The protocol also migrated its bridging to Chainlink’s CCIP for stronger security.
LayerZero, for its part, released a detailed incident report in May, in collaboration with Mandiant and others, confirming the configuration downgrade that enabled the attack and announcing that it would no longer support single-verifier setups.
Yet these measures, while protecting users from further immediate losses, do little to claw back the laundered capital now scattered in the shadows of the blockchain.
What This Means for DeFi
The Kelp DAO case adds to a troubling pattern in 2026: sophisticated actors exploiting bridge weaknesses and rapidly converting gains into untraceable forms. With North Korean groups reportedly responsible for a large share of this year’s exploit volume, the industry faces renewed pressure to balance innovation with robust security architecture.
For builders, the message is clear: bridge configurations, oracle dependencies, and emergency response mechanisms need constant scrutiny. For users and investors, it serves as a reminder that while DeFi offers unprecedented opportunities, certain risks, especially around cross-chain infrastructure, remain stubbornly high.
As forensic teams and law enforcement shift focus toward broader sanctions-style interventions rather than wallet-by-wallet recovery, the Kelp incident may ultimately be remembered not just as a massive hack, but as a case study in how quickly nine-figure thefts can disappear in today’s privacy-enhanced crypto environment.
