The Kelp DAO bridge hacker has laundered nearly all of the roughly $220 million in unfrozen funds left from April’s $292 million LayerZero exploit, with on-chain analysts at Arkham Intelligence tracking only about $1.7 million still parked in the original exploiter wallet.

The drain through privacy rails ends the practical chance of asset-by-asset recovery on the unfrozen portion of the haul, leaving only the $71 million in ether frozen by Arbitrum’s Security Council on April 20 as the materially recoverable slice. The protocol-level resolution — Kelp’s migration of rsETH bridging to Chainlink CCIP and its DeFi United plan that restored roughly 116,000 rsETH to users — happened in parallel; what is closing now is the asset-tracing arc.

LayerZero’s May 18 incident report, co-prepared with Mandiant, CrowdStrike and zeroShadow, attributed the attack to DPRK actor TraderTraitor — also tracked as UNC4899 and part of the broader Lazarus Group — the same crew tied to the parallel $285 million Drift heist the same week.

How the Funds Moved

The laundering cascade began on April 21, the day after Arbitrum’s freeze, when the exploiter wallet pushed 75,701 ETH worth about $175 million across three transactions into freshly created Ethereum addresses — 50,700 ETH into two new wallets and 25,000 ETH into a third, per Arkham’s tracking.

From there the funds entered a multi-layer privacy stack. On-chain investigator ZachXBT flagged the first cross-chain laundering moves the same day — three THORChain transactions totaling about $1.5 million and a $78,000 transfer through Umbra, the Ethereum privacy protocol. The flow grew quickly enough to push THORChain’s 24-hour swap volume to $394 million, more than ten times its normal daily activity.

The full pattern, as reconstructed by on-chain analyst Specter, was a two-layer cycle: ether bridged to Bitcoin via the Wasabi CoinJoin mixer, then routed back to Ethereum through Tornado Cash deposit-and-withdraw rounds. Security firms PeckShield and Cyvers estimated about $176 million of the stolen pile moved through the THORChain-Umbra-BitTorrent corridor in the first wave.

The exploiter’s initial gas was itself pre-funded via Tornado Cash roughly ten hours before the bridge drain — Cyvers flagged the deposit at the time as a signature TraderTraitor setup.

What Kelp DAO Can Still Reach

The $71 million Arbitrum freeze remains the only sizable chunk of the original $292 million within reach of any recovery process, and it is contested. The U.S. District Court for the Southern District of New York issued a restraining order on May 1 barring Arbitrum DAO from moving the same 30,766 ETH, after families holding three unpaid terrorism judgments against North Korea — totaling more than $877 million — filed for forfeiture against the frozen pile.

User-level remediation has already been handled separately. Kelp reopened full rsETH functionality in late May after the DeFi United consortium — covering Aave, Karak, EigenLayer, and Kelp itself — closed out the rsETH restoration program. The roughly $190 million in bad debt the attacker piled onto Aave by depositing stolen rsETH as collateral was absorbed largely through the Aave safety module.

What that leaves is the prospect of working the laundering trail itself. Chainalysis has tied DPRK-linked actors to $2.02 billion of crypto thefts in 2025 alone, taking the cumulative haul to $6.75 billion; recovery for the Kelp $220 million now depends on the same enforcement posture the Treasury runs against IRGC-Qods Force Tron wallets and that Tether has applied through coordinated USDT freezes — not on tracing wallets back to a custodian.

The Kelp arc began as a bridge configuration failure documented in LayerZero’s post-mortem, which pushed the LayerZero default to a 3-of-3 DVN setup. It now ends with the funds gone.