TLDR
- TraderTraitor hackers from North Korea successfully washed virtually all $220M in non-frozen assets taken from Kelp DAO during April 2026’s massive breach
- Blockchain forensics reveal merely $1.7M still identifiable in attacker-controlled addresses
- Criminals utilized THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra for the laundering process
- An additional $71M secured by Arbitrum’s Security Council continues facing complex legal challenges
- Kelp DAO has compensated affected users and transitioned operations to Chainlink CCIP infrastructure
Cybercriminals associated with North Korea’s TraderTraitor collective have successfully washed virtually all $220 million in accessible cryptocurrency stolen during the April 2026 Kelp DAO security breach. According to blockchain intelligence from Arkham Intelligence, a mere $1.7 million continues to be trackable within the initial attacker wallets.
The security compromise took place on April 18, 2026, as threat actors extracted 116,500 rsETH tokens by exploiting weaknesses in Kelp DAO’s LayerZero bridge configuration. Combined losses totaled approximately $292–$293 million, contributing to April’s catastrophic $630 million in cryptocurrency theft incidents.
The money laundering unfolded across two primary phases. Initially, perpetrators converted stolen assets to Bitcoin utilizing the Wasabi CoinJoin tumbling service, subsequently transferring them back to Ethereum prior to processing through Tornado Cash. THORChain registered abnormally elevated transaction volumes throughout this operation.
Stolen cryptocurrency also flowed through Umbra, a privacy-centered payment infrastructure. The sophisticated blend of Bitcoin obfuscation techniques and Ethereum anonymity solutions rendered fund tracking exceptionally challenging for security researchers.
Tracking the Movement of Stolen Assets
Blockchain forensic evidence demonstrates attackers transferred over 75,000 ETH into freshly generated wallets immediately following the exploit. Subsequently, these funds were fragmented and distributed across numerous blockchain networks and privacy-enhancing services.
Cybersecurity analysts attributed the attack to TraderTraitor, alternatively identified as UNC4899. This North Korean state-sponsored threat group maintains connections to numerous high-profile cryptocurrency heists in recent years.
LayerZero announced on April 20 that the vulnerability originated from Kelp DAO’s internal configuration choices. The protocol had implemented just one LayerZero DVN as its exclusive verification pathway, disregarding previous security advisories against such configurations.
The complete laundering operation concluded within approximately six weeks. Security experts indicate the opportunity window for recovering the accessible funds has essentially expired.
Legal Battle Over $71M in Frozen Assets
Arbitrum’s Security Council successfully immobilized roughly $71 million in ETH on April 21. Both a United States court directive and a community governance vote authorized transferring these assets to an Aave-managed multi-signature wallet designated for rsETH recovery initiatives.
Nevertheless, families possessing terrorism-related legal judgments against North Korea have simultaneously submitted claims against these frozen assets. A judicial hearing regarding ownership rights was calendared for Friday in New York.
The resolution of these legal proceedings remains uncertain. The $71 million freeze currently constitutes the sole remaining avenue for direct fund recovery.
Cryptocurrency theft incidents declined dramatically in May, plummeting to $68.3 million — representing an approximately 90% reduction from April, based on CertiK analytics. Roughly $9.4 million was successfully recovered or voluntarily returned throughout May.
Notwithstanding the decrease, the Kelp DAO incident triggered widespread apprehension throughout the DeFi ecosystem. Within three weeks following the exploit, both Solv Protocol and Tydro transitioned to Chainlink CCIP. Kelp DAO similarly migrated its rsETH bridging systems to Chainlink CCIP, abandoning LayerZero.
Kelp DAO concluded its user compensation program. The concluding distribution of 20,373.7 rsETH tokens was transmitted to the LayerZero smart contract as component of a five-week restoration initiative, Cointelegraph documented.
The pilfered funds themselves, nevertheless, have predominantly vanished into a cross-chain laundering infrastructure that investigators characterize as extremely difficult to penetrate.
