KelpDAO Recovery Window Narrows As Hacker Launders $220M

The recovery window for KelpDAO’s $292 million bridge exploit has narrowed sharply after the attacker moved nearly all of the unfrozen funds through privacy-focused laundering routes.

The latest on-chain tracking of the KelpDAO attacker places the laundered amount near $220 million, with funds routed through THORChain, Wasabi, Tornado Cash and Umbra. Only about $1.7 million is still sitting in the original attacker wallets, leaving investigators with far less clean, traceable value to freeze or recover directly.

That marks a major shift from the first days after the attack, when emergency freezes and public wallet tracking still offered some recovery paths. CryptoAdventure previously covered how Arbitrum froze about $70 million in ETH linked to the KelpDAO exploit, cutting off one large chunk of the attacker’s proceeds. The latest laundering activity suggests most of the assets that remained outside those freezes have now moved beyond simple transaction-by-transaction recovery.

North Korea Attribution Raises The Stakes

The KelpDAO exploit remains one of the largest DeFi attacks of 2026. Attackers drained about 116,500 rsETH from KelpDAO’s LayerZero-powered bridge in April, with the damage spreading into lending markets after stolen assets were used across DeFi collateral systems.

Chainalysis tied the exploit to North Korean actors, specifically Lazarus Group and its TraderTraitor cluster, and described the attack as an off-chain infrastructure compromise rather than a standard smart-contract bug. That distinction matters because the attacker did not simply exploit a visible contract flaw. The breach relied on manipulating the verification path behind cross-chain messages, which then made the on-chain release of assets appear valid.

CryptoAdventure’s earlier KelpDAO exploit coverage captured the first phase of the drain, while a later Justin Sun recovery appeal showed how quickly the incident became a broader DeFi solvency and negotiation problem.

Laundering Phase Limits Recovery Options

The laundering routes now matter more than the original exploit path. THORChain has already become a recurring channel in North Korea-linked crypto laundering, with CryptoAdventure previously examining THORChain’s role in DPRK-linked fund movement. Wasabi, Tornado Cash and Umbra add more layers of privacy and obfuscation, making clean attribution and direct recovery harder once funds leave the original wallet cluster.

That does not mean investigators lose every lead. Blockchain analytics firms, exchanges and law enforcement can still track patterns, identify exit points and flag related wallets. But the easy recovery phase is mostly gone once funds are fragmented, swapped and routed through privacy systems.

For KelpDAO, the latest update turns the incident from an active recovery race into a longer enforcement and containment problem. Arbitrum’s frozen ETH remains important, but the unfrozen balance has largely moved. The exploit already forced DeFi to rethink bridge security, verifier assumptions and collateral contagion. Now it adds another lesson: if large stolen funds are not frozen quickly, the laundering window can close before recovery negotiations ever get real leverage.

The post KelpDAO Recovery Window Narrows As Hacker Launders $220M appeared first on Crypto Adventure.