Kelp DAO Hacker Launders Most of $220M as Recovery Window Shrinks
The Kelp DAO hacker has nearly finished laundering roughly $220 million in stolen funds, leaving only about $1.7 million in the original wallet and narrowing the recovery window to the roughly $71 million Arbitrum previously froze[1][2]. The episode matters now because it underscores how quickly forensic tracing can lose practical value once funds move through cross-chain routes and privacy tools[1][2][4].
Overview
- The April Kelp DAO exploit drained about $292 million in total, and investigators say most of the unfrozen proceeds have now been moved beyond easy recovery[1][2].
- About $71 million in ETH remains frozen by the Arbitrum Security Council, making it the only large pool still plausibly recoverable[1][2][4].
- On-chain tracking shows the attacker used THORChain, Wasabi CoinJoin, Tornado Cash and Umbra, which sharply reduced traceability[1][2][4].
- Reports link the incident to TraderTraitor/UNC4899, the North Korea-associated cluster also referenced in prior blockchain investigations[1][4].
- The case highlights a narrow point: emergency freezes can work inside a governed ecosystem, but they do not reach funds once they are bridged, mixed or dispersed[3][5].
Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!
Kelp DAO hacker’s laundering run leaves little to recover
Huo Xing Finance, as relayed by KuCoin and other crypto outlets, said that by June 2 nearly all of the approximately $220 million in unfrozen stolen assets had been laundered[1]. The same reporting said only about $1.7 million remained in the attacker’s original address, while the frozen $71 million sat outside the laundering path[1][2].
That distinction matters. The remaining frozen funds are the only material assets still visible to recovery efforts, and even those are now entangled in legal claims in the U.S. according to the reports[1][4]. In practice, that leaves investigators with a much smaller target and far less time.
How the Kelp DAO hacker moved the funds
The reported sequence was simple in outline and difficult in execution: large amounts of ETH were split across fresh wallets, bridged across chains, and passed through mixers and privacy services[1][2]. Sources said the attacker moved about 75,701 ETH, worth roughly $175 million at the time, shortly after the exploit, then routed funds through tools including THORChain and Wasabi before continuing into Tornado Cash and Umbra[1][2].
| Stage | Verified data | Direct implication |
|---|---|---|
| Initial exploit | About $292M stolen in April | Large pool of assets entered the recovery pipeline[1][2] |
| Frozen portion | About $71M frozen on Arbitrum | Only a minority remained within immediate reach[1][2][4] |
| Laundered portion | About $220M moved through privacy tools | Most unfrozen funds became difficult to trace[1][2][4] |
| Residual wallet balance | About $1.7M left in original address | Recovery odds on the main wallet are now minimal[1][2] |
Forensic work hit the limits of enforcement
The forensic-to-action gap is now visible in the record. Investigators were able to identify the movement of funds, but the reported trail shows that tracing alone did not translate into asset seizure once the attacker had shifted money across networks and mixers[1][3][5].
Arbitrum’s freeze demonstrates the other side of that equation. Emergency intervention can still work when assets remain inside a controlled environment, but the same reports note that this authority stops at the boundary of the ecosystem and cannot reverse transfers that have already crossed into other chains or privacy layers[3][5]. That is the practical limit now facing the Kelp DAO recovery effort.
| Recovery channel | Status | Limitation |
|---|---|---|
| Arbitrum freeze | About $71M secured | Bound to assets still within the governed chain[1][3][4] |
| Original exploiter wallet | About $1.7M remaining | Too small to change the overall recovery profile[1][2] |
| Traced laundered funds | About $220M moved | Privacy tools and cross-chain hops degraded traceability[1][2][4] |
Why the Kelp DAO hacker case matters for crypto crime
Market participants view the case as another reminder that DeFi security is no longer only a smart-contract issue; it is also a cross-chain and compliance problem[3][5]. Once stolen assets move quickly through mixers and bridges, recovery depends less on forensic visibility and more on whether an exchange, bridge or jurisdiction can still intercept the flow[1][4][5].
The downside scenario is straightforward: if the frozen $71 million is tied up in litigation or challenged in court, the final recovery for victims could remain limited even after the attack has been fully traced[1][4]. The uncertainty is whether any additional assets can still be identified before they are converted, broken apart further or moved into jurisdictions that are harder to reach[1][5].
For Kelp DAO, the immediate lesson is not just the size of the loss. It is that in crypto crime, tracing a theft and recovering it are increasingly separate tasks, and in this case the gap between the two appears to have widened dramatically[1][3][5].
- https://www.kucoin.com/news/flash/kelp-dao-hackers-complete-money-laundering-of-220m-most-funds-untraceable
- https://www.cryptotimes.io/2026/06/02/kelp-dao-hacker-finishes-laundering-220m-only-1-7m-left-in-main-wallet/
- https://www.pulsechain.nexus/kelp-dao-exploit-220m-laundered-highlighting-limits-of-centralised-intervention/
- https://whale-alert.io/stories/abbc0126334279/Kelp-DAO-bridge-exploiter-launders-nearly-all-of-the-220-million-in-stolen-funds-as-recovery-window-closes
- https://globegain.com/news/recovery-hopes-fade-as-kelp-dao-hacker-launders-nearly-all-220m-in-stolen-funds
