Key Takeaways
- TraderTraitor, a North Korean hacking collective, successfully laundered approximately $220M in unfrozen cryptocurrency stolen during the April 2026 Kelp DAO breach
- Blockchain analysis reveals merely $1.7M remains identifiable in the hackers’ initial wallet addresses
- The laundering operation utilized THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra protocols
- An additional $71M frozen by Arbitrum’s Security Council is subject to ongoing litigation
- Following the incident, Kelp DAO compensated users and transitioned to Chainlink CCIP infrastructure
Cybercriminals associated with North Korea’s TraderTraitor operation have successfully laundered the vast majority of $220 million in unfrozen cryptocurrency seized from Kelp DAO during an April 2026 security breach. According to blockchain intelligence firm Arkham Intelligence, only $1.7 million can still be tracked to the attackers’ original wallet addresses.
The security compromise took place on April 18, 2026, when malicious actors extracted 116,500 rsETH tokens by exploiting a weakness in Kelp DAO’s LayerZero bridge configuration. Combined losses totaled approximately $292–$293 million, contributing to April’s overall crypto theft figure of $630 million.
The money laundering process unfolded across two primary phases. Initially, perpetrators converted stolen funds to Bitcoin via the Wasabi CoinJoin anonymization service, subsequently moving them back to Ethereum before channeling through Tornado Cash. THORChain experienced abnormally elevated transaction volumes throughout the laundering operation.
Attackers additionally leveraged Umbra, a privacy-oriented payment infrastructure. The strategic blend of Bitcoin tumbling services and Ethereum anonymization platforms created substantial obstacles for forensic analysts attempting to trace the stolen assets.
Tracking the Movement of Stolen Assets
Blockchain forensics indicate the perpetrators transferred over 75,000 ETH into freshly generated wallet addresses immediately following the security breach. Subsequently, these funds were fragmented and distributed across numerous blockchain networks and privacy-enhancing services.
Cybersecurity researchers attributed the attack to TraderTraitor, alternatively identified as UNC4899. This North Korean state-sponsored threat actor has been implicated in multiple significant cryptocurrency thefts over recent years.
LayerZero issued a statement on April 20 clarifying that the vulnerability originated from Kelp DAO’s specific implementation. The protocol had configured a single LayerZero DVN as its exclusive verification pathway, contradicting established security recommendations.
The complete laundering operation concluded within approximately six weeks. Security analysts now assert that the opportunity for recovering the unfrozen assets has essentially expired.
Legal Battle Over $71M in Frozen Assets
Arbitrum’s Security Council successfully froze roughly $71 million in ETH on April 21. Both a United States judicial order and a governance vote authorized transferring these assets to an Aave-managed multi-signature wallet designated for rsETH restitution efforts.
Nevertheless, families possessing terrorism-related judgments against North Korea have submitted competing claims on these frozen assets. A judicial hearing regarding asset ownership was scheduled for Friday in a New York courthouse.
The resolution of this legal dispute remains uncertain. The frozen $71 million currently represents the sole viable avenue for direct fund recovery.
Cryptocurrency theft losses experienced a dramatic decline in May, plummeting to $68.3 million — representing nearly a 90% reduction from April, based on CertiK data. Approximately $9.4 million was successfully recovered or voluntarily returned throughout May.
Notwithstanding this decrease, the Kelp DAO incident sparked widespread apprehension throughout the DeFi ecosystem. Within three weeks following the exploit, both Solv Protocol and Tydro migrated their infrastructure to Chainlink CCIP. Kelp DAO similarly transitioned its rsETH bridging architecture to Chainlink CCIP, abandoning LayerZero.
Kelp DAO concluded its user compensation initiative. The concluding distribution of 20,373.7 rsETH tokens was transmitted to the LayerZero smart contract as the final component of a five-week restitution program, according to Cointelegraph’s coverage.
The stolen cryptocurrency itself, nevertheless, has predominantly vanished into a sophisticated cross-chain laundering infrastructure that investigators characterize as exceptionally challenging to penetrate.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
