The entity responsible for the $293 million security breach against the decentralized protocol Kelp DAO executed the laundering of $220 million in stolen funds over a six-week period. The operation aimed to obfuscate the trail of the crypto assets on the blockchain, reducing the identifiable balance in the attacker’s primary address to just $1.7 million.
Blockchain intelligence platform Arkham documented the continuous outflow from the tagged wallet, confirming the near-total drain of liquidity that had not been intervened by network authorities. Public records corresponding to the entity tracking data show the progressive dispersion of the assets towards platforms designed to break the link between sender and receiver.
The original security incident occurred on April 18, when the malicious actor managed to extract 116,500 rsETH tokens, the native liquid restaking asset of the Kelp DAO ecosystem. This liquidity theft represented the largest security breach of the period, pushing the total losses attributed to attacks in the cryptocurrency sector to $630 million during the month of April alone. The extraction exposed critical vulnerabilities in the cross-chain communication architecture that the protocol used to manage the deposits and withdrawals of its institutional and retail users.
To execute the fund cleansing, the attacker implemented a two-layer methodology based on cross-chain bridges and privacy protocols. In the first phase, the assets were transferred to the Bitcoin network using the Wasabi Wallet cryptographic mixer.
A month after the KelpDAO incident, DPRK has successfully laundered the stolen funds, with just over $1M remaining.
The funds were laundered in two layers: first by bridging to Bitcoin and mixing through Wasabi mixer, and then by returning to Ethereum, withdrawing, and… https://t.co/rgv8swrM5b pic.twitter.com/a1LlCba0Eb
— Specter (@SpecterAnalyst) June 1, 2026
Subsequently, the liquidity returned to the Ethereum blockchain to be deposited and withdrawn through the Tornado Cash smart contract, according to the transaction flow analysis published by on-chain research firm Specter. The combination of these two obfuscation systems minimizes the technical probability of recovering the missing capital.
In response to the capital movement, the Security Council of the Arbitrum layer-2 network intervened on April 21 and managed to freeze $71 million in transit. Following the retention of these funds, a decentralized governance process was executed, backed by a court order issued in the United States. Arbitrum’s administrative resolution authorized the transfer of the immobilized assets to a multi-signature wallet managed by the Aave organization. This technical intervention at the network level sought to release the frozen assets to facilitate restitution efforts for the liquidity providers affected by the exploited smart contract.
Kelp DAO completed the restoration of its rsETH token following a five-week operational process. The final phase of this technical recovery involved sending 20,373.7 rsETH tokens to the smart contract operated by the LayerZero infrastructure. This technical component is responsible for locking, minting, burning, and releasing the tokens during transfers between different blockchains. The restoration of operability allowed users to interact with the ecosystem again, albeit under new security conditions.
The magnitude of the Kelp DAO attack generated a ripple effect on the security design of other decentralized finance (DeFi) platforms. In the three weeks following the exploit, entities such as Solv Protocol and the liquidity protocol Tydro modified their data transmission architecture and integration of new oracles, migrating to the Cross-Chain Interoperability Protocol (CCIP) developed by Chainlink. The Kelp DAO team itself abandoned its previous cross-chain bridge configuration to adopt Chainlink’s validation infrastructure for the management of its rsETH token.
Regarding the technical responsibility for the event, development firm LayerZero issued a statement on April 20 clarifying the attack vectors. The company indicated that the exploit originated from a single point of failure in the specific implementation designed by Kelp DAO. The affected protocol relied on a single Decentralized Verification Network (DVN) as the exclusive route for validating cross-border transactions, ignoring previous technical guidelines that advised against using that configuration without secondary verification networks.
The broader security landscape in the ecosystem experienced a shift in the month following the incident. According to consolidated data from the auditing platform CertiK, losses from vulnerabilities in cryptocurrency protocols dropped to $68.3 million during May.
This volume represented a 90 percent decrease compared to the April records. Within the capital compromised in May, $2.6 million corresponded to phishing vectors, while security teams managed to recover or process the return of $9.4 million tied to various minor incidents. The legal process that will define the final ownership and distribution of the $71 million frozen on the Arbitrum network will continue with a hearing scheduled for this Friday in a New York court.
This article is for informational purposes only and does not constitute financial advice.
