The hacker behind April’s $292 million Kelp DAO exploit has laundered nearly all of the remaining unfrozen funds, sharply reducing the chances of recovering stolen assets.
On-chain data tracked by Arkham Intelligence shows only about $1.7 million remains in the original exploiter wallet, while most of the roughly $220 million moved through a network of privacy tools and cross-chain transfers.
The latest fund movements leave the $71 million frozen by Arbitrum as the only significant portion still within reach of recovery efforts. Arbitrum secured the assets shortly after the attack by freezing about 30,766 ETH linked to the exploiter. However, investigators now face a much tougher challenge as the attacker has largely erased the trail of the remaining funds through complex laundering routes.
The April exploit targeted Kelp DAO’s LayerZero bridge and ranks among the largest crypto thefts of the year. Investigators later linked the attack to TraderTraitor, a North Korean hacking group associated with Lazarus. As a result, the case has become another example of how state-backed cybercriminals continue to outpace traditional recovery efforts across the digital asset industry.
Arbitrum freeze preserves remaining recoverable funds
Arbitrum remains the only platform that has successfully secured a significant share of the stolen assets. The network froze about 30,766 ETH, worth more than $71 million, shortly after the Kelp DAO exploit. Arbitrum said its Security Council took the action after reviewing information provided by law enforcement and conducting technical analysis of the funds.
However, the frozen Ethereum now faces a separate legal battle. Families holding unpaid terrorism judgments against North Korea have filed claims seeking control of the assets. As a result, the U.S. District Court for the Southern District of New York issued a restraining order that prevents Arbitrum DAO from moving the funds while the case proceeds.Â
The dispute has added another layer of uncertainty to recovery efforts, even as most of the remaining stolen funds have already disappeared through laundering channels.
Hacker used multiple privacy tools
The hacker began moving the stolen cryptocurrency on April 21, a day after Arbitrum froze more than $71 million linked to the exploit. According to Arkham Intelligence, the attacker transferred 75,701 ETH, worth about $175 million at the time, into three newly created wallets. The moves marked the start of a large-scale laundering effort that would eventually place most of the remaining funds beyond investigators’ reach.
Investigators traced the stolen funds as they moved through a series of privacy-focused crypto services. On-chain researcher ZachXBT first identified transfers through THORChain and Umbra. Further analysis showed the funds later passed through Wasabi CoinJoin, Tornado Cash, and several cross-chain routes designed to make tracking more difficult.
Security firm PeckShield estimates that roughly $176 million moved through those channels. As the money spread across multiple platforms and networks, the trail became increasingly difficult to follow. That left investigators with limited visibility into a large share of the stolen assets and further reduced the chances of recovery.
DPRK hackers remain a growing threat
The Kelp DAO exploit is part of a broader pattern of increasingly sophisticated attacks linked to North Korean cyber groups. In its incident report, LayerZero attributed the breach to TraderTraitor, an operation associated with the Lazarus Group. The same organization has also been linked to the separate $285 million attack on Drift Protocol, underscoring the growing scale of state-backed crypto crime.
The case adds to a year that has already seen North Korean actors dominate cryptocurrency thefts. Blockchain investigators at TRMLabs estimate the groups account for more than 76% of crypto-related losses in 2025. Chainalysis separately estimates that North Korea-linked hackers have stolen more than $2 billion worth of digital assets this year alone.
Although hopes of recovering most of the stolen funds have faded, Kelp DAO has completed much of its user recovery program. Through the DeFi United initiative, the project and its partners returned about 116,000 rsETH to affected users and restored normal platform operations. Aave also absorbed a large share of the bad debt left behind by the attack, helping limit the impact on the broader ecosystem.
The incident comes as overall crypto losses declined sharply in May. According to CertiK, hackers and exploits accounted for $68.3 million in losses during the month, down from $650 million in April. Even so, the Kelp DAO breach remains one of the largest crypto thefts of the year.Â
Also Read: Radiant Capital Winds Down After 18 Months Without Fund Recovery
