The attacker behind April's Kelp DAO exploit has laundered nearly all of the funds that were not frozen, according to on-chain tracking reported by WuBlockchain and Cointelegraph on June 2, 2026. Blockchain intelligence firm Arkham now traces only about $1.7 million still parked in the original exploiter wallet, down from a haul of roughly $293 million stolen on April 18. In practical terms, the unfrozen portion is gone.
The drain ranks as the largest DeFi theft of 2026 so far. Of the total stolen, roughly $220 million sat outside any freeze and was movable. The hacker cleared almost all of it in about six weeks, a pace that left recovery teams chasing transactions through privacy infrastructure built specifically to break the chain of custody.
The path the money took
The laundering ran in two layers. Ether was bridged toward Bitcoin through a CoinJoin mixer (Wasabi), which pools many users' coins to obscure the link between sender and receiver. The funds were then routed back to Ethereum through Tornado Cash, the sanctioned mixing protocol that severs the connection between deposit and withdrawal addresses. Security analysts who tracked the early waves, including PeckShield and Cyvers, estimated that a large share of the pile also passed through THORChain, a cross-chain swap network that has repeatedly shown up in post-hack laundering because it does not require accounts or identity checks.
Each hop strips a little more traceability. By the time funds emerge from a mixer and cross a chain boundary, asset-by-asset recovery is no longer realistic. That is the difference between this case and an exploit where funds sit in a single identifiable wallet waiting on a negotiation or a freeze.
Attribution points to state actors
LayerZero's May 18 incident report attributed the attack to the DPRK-linked actor tracked as TraderTraitor, also catalogued as UNC4899 and grouped under the broader Lazarus umbrella. North Korean operators are the most prolific thieves in crypto, and their playbook is consistent: hit a high-value target, fragment the proceeds, and run them through mixers and cross-chain bridges faster than investigators and exchanges can react. The six-week clearance here fits that pattern almost exactly.
State attribution matters for one practical reason. When a sanctioned entity is the suspected beneficiary, every centralized exchange and custodian that touches the funds faces compliance exposure, which is part of why the laundering leaned so heavily on permissionless rails rather than KYC venues.
The frozen tranche is all that's recoverable
Not everything moved. Arbitrum's Security Council froze roughly $71 million in ether in late April, acting through the chain's governance powers before the attacker could push that slice through the mixers. That frozen tranche is now the only materially recoverable part of the haul. Recovery would still depend on governance decisions and legal process rather than a simple clawback, but the assets at least remain in place and identifiable.
The contrast is stark. The portion that got out, about $220 million, is effectively unrecoverable through on-chain means. The portion that was frozen within days, about $71 million, is the only realistic candidate for return. Speed of the freeze, not the size of the bounty offer, decided the outcome.
The lesson for anyone holding pooled funds
This episode is a clean illustration of smart-contract and counterparty risk. Kelp DAO users did not lose funds because they made a bad trade; they lost exposure because a protocol holding pooled assets was drained and the proceeds were laundered before they could be clawed back. That risk applies to any service that takes custody of user funds, from lending protocols to exchanges to card programs that hold balances on your behalf.
It is the core argument for keeping assets in a wallet you control whenever the use case allows. Self-custody does not make you immune to phishing or signing mistakes, but it removes the single-point-of-failure problem where one contract exploit can wipe out a shared pool. For pooled products, the practical defense is governance that can act in hours, not days, which is exactly what spared the Arbitrum-frozen tranche here.
The broader backdrop has not helped sentiment. Bitcoin traded around $70,665 on June 2, 2026, down 3.9% on the day, with the Fear and Greed index at 32, in fear territory. Hacks of this scale do not move the whole market, but they keep the security question front of mind during a risk-off stretch.
Overview
The Kelp DAO attacker has laundered close to all of the roughly $220 million in unfrozen funds from April's $293 million exploit, leaving about $1.7 million traceable per Arkham. Funds moved through a Bitcoin CoinJoin mixer and Tornado Cash, with cross-chain swaps via THORChain, and LayerZero attributed the attack to the DPRK-linked TraderTraitor group. Only the roughly $71 million frozen by Arbitrum's Security Council in late April has a real chance of recovery. The case shows that a fast freeze, not a slow negotiation, is what saves funds once state-grade launderers are involved.
