Kelp DAO hacker laundered $220M; $1.7M traceable
Arkham data and onchain analysts show the Kelp DAO hacker laundered about $220 million of a $293 million April theft in six weeks, leaving roughly $1.7 million traceable.
Blockchain data provider Arkham and onchain analysts report that the wallet linked to the attacker who drained 116,500 restaked Ether (rsETH) from Kelp DAO on April 18 now holds about $1.7 million. The analysts estimate roughly $220 million of the $293 million theft was laundered over the following six weeks.
Onchain analysis indicates the launderer moved funds in two main stages. The attacker bridged value to Bitcoin and routed assets through the Wasabi coin-mixing service, then returned value to Ethereum and processed withdrawals through the Tornado Cash mixing protocol.
Arbitrum’s Security Council froze an additional $71 million of assets tied to the incident on April 21. A governance vote and a U.S. court order authorized transferring frozen funds to an Aave-controlled multisignature wallet to support recovery of rsETH. Court filings show the next hearing on competing ownership claims for the frozen assets is scheduled for Friday in New York.
Kelp DAO reported restoring its rsETH token as part of a five-week recovery after the final tranche of 20,373.7 rsETH was sent to the LayerZero smart contract that handles locking, minting, burning and releasing rsETH during cross-chain transfers. Following the exploit, Kelp DAO moved its rsETH token from the LayerZero-powered bridge to Chainlink’s Cross-Chain Interoperability Protocol (CCIP). Other protocols, including Solv Protocol and Tydro, also migrated to Chainlink CCIP in the weeks after the attack.
LayerZero attributed the breach to a single point of failure in Kelp DAO’s implementation, saying the protocol relied on a single LayerZero Distributed Verification Network node as the only verified path despite prior warnings against that configuration. Kelp DAO has identified weaknesses in its cross-chain setup as the cause of the exploit.
Industry security metrics show exploit losses fell in May to $68.3 million, a near 90% decline from April, according to security firm CertiK. That May total included about $2.6 million attributed to phishing attacks and roughly $9.4 million of funds that were recovered or returned. April’s exploits, including the rsETH drain, pushed total stolen funds for the month to roughly $630 million.
Onchain observers and Arkham tracking say the use of multiple bridges and coin mixers routed nearly all initially unfrozen stolen funds through layers of obfuscation, leaving only a small portion directly linked to the attacker’s wallet and complicating recovery efforts.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
