Key Takeaways:
- Hacker laundered about $220M of stolen rsETH via Wasabi and Tornado Cash
- Only $1.7 million remains traceable in the exploiter's wallet
- $71M frozen by Arbitrum Security Council remains tied up in court
Back
Kelp DAO hacker launders $220M as recovery hopes fade after exploit
The Kelp DAO exploiter laundered about $220 million of stolen funds in six weeks, leaving just $1.7 million traceable in the hacker-tagged wallet, according to Arkham Intelligence data.
"The funds were bridged to Bitcoin using Wasabi mixer, then returned to Ethereum and cycled through Tornado Cash," Specter, an on-chain analyst, said.
The malicious actor drained 116,500 Kelp DAO restaked Ether, or rsETH, on April 18, pushing total crypto hack losses for that month to $630 million, according to security platform CertiK. An additional $71 million — 30,765.67 ETH — was frozen by Arbitrum's Security Council three days later and is now the subject of a federal restraining notice in New York, with a hearing scheduled for Friday.
The successful laundering of nearly all unfrozen funds significantly reduces the likelihood of victim recovery and has prompted at least three DeFi protocols — Solv Protocol, Tydro and Kelp DAO itself — to migrate from LayerZero to Chainlink's Cross-Chain Interoperability Protocol, citing weaknesses in cross-chain bridge security.
The laundering operation used a two-layer approach: bridging the stolen rsETH to Bitcoin via the Wasabi crypto mixer, then returning to Ethereum before withdrawing and depositing through Tornado Cash, according to Specter's on-chain analysis. The activity may effectively end any chance of recovering the remaining unfrozen funds.
The broader DeFi sector saw exploit losses fall to $68.3 million in May, a near 90% decline from April's $630 million, according to CertiK. About $2.6 million was attributed to phishing attacks, while $9.4 million was successfully recovered or returned. Still, the Kelp DAO incident triggered wider concerns about cross-chain security.
Kelp DAO completed its five-week recovery effort on May 26, sending the final tranche of 20,373.7 rsETH tokens to the LayerZero smart contract responsible for cross-chain transfers. The protocol has since migrated its rsETH token to Chainlink CCIP, moving away from the LayerZero-powered bridge it blamed for the exploit. LayerZero countered that the incident resulted from a single point of failure in Kelp DAO's implementation, which relied on a single LayerZero DVN as the only verified path despite prior warnings.
The $71 million frozen by Arbitrum's Security Council remains unresolved. A federal court modified a restraining notice on May 8 to permit an on-chain Arbitrum governance vote and transfer of the immobilized ETH to an Aave LLC-controlled address, but the substantive merits of the restraining notice remain under consideration. The outcome could set a precedent for how recovered crypto assets are treated when they intersect with U.S. federal litigation.
This article is for informational purposes only and does not constitute investment advice.
[1] Kelp DAO Recovery Hopes Fade as Hacker Launders About $220 Million[2] Recovery hopes fade as Kelp DAO hacker launders nearly all $220M in stolen funds[3] Recovery hopes fade as Kelp DAO hacker launders nearly all $220M in stolen funds - Bitget[4] Aave Restores rsETH Backing in Full, but $71M Court Battle Drags On - The Crypto Times
