{"id":30432,"date":"2026-06-02T08:09:47","date_gmt":"2026-06-02T08:09:47","guid":{"rendered":"https:\/\/bitunikey.com\/news\/kelp-dao-hacker-launders-220m-as-recovery-window-closes\/"},"modified":"2026-06-02T08:09:56","modified_gmt":"2026-06-02T08:09:56","slug":"kelp-dao-hacker-launders-220m-as-recovery-window-closes","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/kelp-dao-hacker-launders-220m-as-recovery-window-closes\/","title":{"rendered":"Kelp DAO hacker launders $220M as recovery window closes"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p><strong>The hacker behind the Kelp DAO bridge exploit has moved nearly all unfrozen funds through privacy channels, leaving only a small balance in the original wallets.<\/strong><\/p>\n<div id=\"cn-block-summary-block_aa0a1618db9375344a0d94a792ad3b6d\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Kelp DAO exploiter has laundered nearly all $220 million, leaving about $1.7M in original wallets.<\/li>\n<li>The funds moved through THORChain, Wasabi, Tornado Cash and Umbra, reducing direct tracing options now.<\/li>\n<li>Arbitrum\u2019s $71M freeze remains the largest recoverable slice, with court claims now pending against it.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>The Kelp DAO hacker has laundered about $220 million in unfrozen funds, according to on-chain data cited by The Defiant. The funds moved through THORChain, Wasabi, Tornado Cash and Umbra, making direct tracking harder for investigators.<\/p>\n<p>The report <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/t.co\/sJP6sqFvIk\" target=\"_blank\" rel=\"nofollow\">described<\/a> the amount moved as \u201cnearly all\u201d of the unfrozen funds. It also said \u201croughly $1.7 million\u201d remains in the original attacker wallets. That leaves a narrow path for direct recovery of the funds that were not frozen earlier.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Kelp DAO Hacker Has Laundered Nearly All $220M in Unfrozen Funds, Closing the Recovery Window<\/p>\n<p>According to The Defiant, on-chain tracking data shows that the hackers behind the Kelp DAO bridge exploit, identified as North Korean threat group TraderTraitor, have laundered\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/UlCj44BTa4\">pic.twitter.com\/UlCj44BTa4<\/a><\/p>\n<p>\u2014 Wu Blockchain (@WuBlockchain) <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/WuBlockchain\/status\/2061662229850886564?ref_src=twsrc%5Etfw\">June 2, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>    <!-- .cn-block-related-link --><\/p>\n<h2 class=\"wp-block-heading\"><strong>Exploit traced to North Korea-linked actors<\/strong><\/h2>\n<p>The April attack drained about $292 million from Kelp DAO\u2019s bridge. Chainalysis said the attackers released about 116,500 rsETH against a fake burn event after targeting off-chain bridge infrastructure, not Kelp DAO\u2019s core smart contracts.<\/p>\n<p>LayerZero\u2019s incident report linked the attack to TraderTraitor, a North Korea-linked group also tracked as UNC4899 and part of the wider Lazarus ecosystem. The same wider threat network has been tied to other large crypto attacks this year.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Frozen funds remain the main recovery path<\/strong><\/h2>\n<p>A large part of the stolen assets did not move freely after the attack. Arbitrum\u2019s Security Council froze more than 30,000 ETH soon after the exploit, creating the main pool still within reach of a recovery process.<\/p>\n<p>The Defiant reported that the frozen portion is about $71 million. That sum is now tied to legal claims in the U.S., after families with unpaid judgments against North Korea sought control of the funds. The remaining unfrozen funds have largely moved through privacy tools.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Broader hack pattern<\/strong><\/h2>\n<p>As previously reported by crypto.news, North Korea-linked Lazarus attacks drained $577 million from Drift Protocol and KelpDAO in April. The same report said those two attacks made up 76% of all crypto theft tracked in 2026 through April.<\/p>\n<p>Moreover, Radiant Capital will wind down operations after failing to recover from a $50 million exploit linked to North Korea-aligned actors, as crypto.news reported. The Radiant case showed how slow recovery, lost funding and laundering through Tornado Cash can leave a protocol with limited options.<\/p>\n<p>For Kelp DAO, the latest laundering update does not close every legal or recovery route. The frozen ETH remains important. However, the unfrozen portion now appears much harder to recover through normal address-by-address tracing. The case adds pressure on bridge operators, DeFi teams and investigators to act before stolen funds enter privacy routes.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The hacker behind the Kelp DAO bridge exploit has moved nearly all unfrozen funds through privacy channels, leaving only a small balance in the original wallets. Summary Kelp DAO exploiter&hellip;<\/p>\n","protected":false},"author":1,"featured_media":30433,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-30432","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/30432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=30432"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/30432\/revisions"}],"predecessor-version":[{"id":30434,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/30432\/revisions\/30434"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/30433"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=30432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=30432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=30432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}