Hackers linked to North Korea's TraderTraitor group have laundered nearly all of the $220 million in unfrozen funds stolen during the Kelp DAO bridge exploit in April 2026, effectively ending direct recovery efforts. The attackers moved the assets through a complex network including THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra, leaving only approximately $1.7 million traceable in original wallets according to on-chain analysts. The laundering operation followed a LayerZero bridge vulnerability that resulted in roughly $292 million stolen, with Arbitrum's Security Council freezing $71 million worth of ETH while the remaining $220 million remained accessible to the attackers. The sophisticated fund movement demonstrates the increasing capabilities of state-backed threat actors in navigating multiple blockchain networks and privacy protocols. The incident highlights ongoing bridge security vulnerabilities as the crypto industry faces a wave of major cross-chain infrastructure attacks.
TraderTraitor Group Laundered $220M Through Multi-Chain Privacy Networks
The Kelp DAO exploit occurred in April 2026 and resulted in roughly $292 million being stolen through a LayerZero bridge vulnerability. Following the attack, Arbitrum's Security Council froze approximately $71 million worth of ETH, but the remaining $220 million remained accessible to the attackers.
According to reports from Arkham Intelligence and other blockchain investigators, the hackers moved the funds through a complex laundering network that included THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra. Investigators now estimate that only $1.7 million remains in the original wallets.
On-chain data shows the attackers transferred more than 75,000 ETH into newly created wallets. From there, the funds moved through multiple privacy-focused platforms and cross-chain services. Analysts said the operation combined Bitcoin mixing services with Ethereum privacy tools, making transaction tracking significantly more difficult.
The use of THORChain attracted particular attention, as the protocol reportedly processed unusually high volumes as the stolen assets moved across chains. Security researchers linked the attack to TraderTraitor, a North Korean cyber group also known as UNC4899. The group has previously been associated with several major crypto thefts.
Arbitrum Froze $71M in Legal Proceedings
The frozen funds remain a potential source of recovery. The Arbitrum freeze locked roughly $71 million in ETH shortly after the attack. However, those assets are now tied up in ongoing legal proceedings.
Families holding terrorism judgments against North Korea have filed claims related to the frozen funds. As a result, the final outcome remains uncertain.
Kelp DAO Completed User Remediation and Migrated to Chainlink CCIP
Kelp DAO completed its user remediation process following the exploit. The protocol migrated rsETH bridging operations to Chainlink CCIP and worked with industry partners to restore affected users.
The incident carries important lessons for both developers and investors. Over the past several months, the crypto industry has experienced a wave of major attacks targeting bridges, infrastructure providers, and DeFi protocols. Incidents involving Radiant, Wormhole, and Kelp DAO have exposed critical security weaknesses.
For developers, the attack reinforces the need for stronger bridge security, multi-layer validation systems, and improved monitoring tools. For investors, the exploit highlights the growing risks associated with cross-chain infrastructure.
The growing involvement of state-sponsored groups also raises concerns about future recovery efforts. Once stolen assets move through multiple chains and privacy services, recovering funds becomes significantly harder.
FAQ
What happened in the Kelp DAO exploit in April 2026?
The Kelp DAO exploit occurred in April 2026 through a LayerZero bridge vulnerability, resulting in roughly $292 million stolen. Arbitrum's Security Council froze approximately $71 million worth of ETH, while the remaining $220 million remained accessible to attackers identified as North Korea's TraderTraitor group (also known as UNC4899).
How did the hackers launder the stolen Kelp DAO funds?
The hackers moved the funds through a complex laundering network including THORChain, Wasabi CoinJoin, Tornado Cash, and Umbra. On-chain data shows the attackers transferred more than 75,000 ETH into newly created wallets and combined Bitcoin mixing services with Ethereum privacy tools. Only approximately $1.7 million remains traceable in the original wallets.
What is the status of the $71 million frozen by Arbitrum?
The $71 million in ETH frozen by Arbitrum's Security Council shortly after the attack remains tied up in ongoing legal proceedings. Families holding terrorism judgments against North Korea have filed claims related to the frozen funds, and the final outcome remains uncertain.
