Kelp DAO $2.92 Billion Hack: How Funds Were Laundered Across Chains

Editor's Note: On April 18, Kelp DAO was attacked, with approximately $292 million in assets stolen. How, then, did this money gradually get "cleaned" into liquid assets within a fully transparent on-chain system?

This article uses this incident as a lens to dissect a highly industrialized cryptocurrency money laundering pathway: from anonymous infrastructure preparation prior to the attack, to using Tornado Cash to sever on-chain connections; from leveraging Aave and Compound to collateralize "toxic assets" and extract clean liquidity, to exponentially increasing traceability difficulty through THORChain, cross-chain bridges, and UTXO structures, ultimately funneling into the USDT ecosystem on Tron and converting it into real-world cash via over-the-counter networks.

Throughout this process, there are no complex black-box operations; nearly every step follows established rules. It is precisely for this reason that the path revealed does not point to a single vulnerability, but rather to the structural tension within the DeFi system under its principles of openness, composability, and censorship-resistance—when the protocol design itself permits these actions, "recovering funds" ceases to be a technical issue and becomes a question of system boundaries.

The Kelp DAO incident was therefore not just a security breach, but more like a stress test of the underlying logic of the crypto world: it demonstrated how hackers can turn your money into theirs, and why this system is fundamentally difficult to prevent such a process from occurring.

As you know, on April 18, a North Korean hacker stole $292 million from Kelp DAO. Five days later, more than half of it had vanished, fragmented across thousands of wallets, exchanged through non-pausable protocols, and ultimately routed to a very specific destination.

The interesting part is how $292 million in verifiably stolen crypto assets were turned into cash in Pyongyang’s pockets, with no one able to stop it.

The purpose of this article is to reveal how the modern crypto money laundering process operates, why it is structurally impossible to stop, and what is actually purchased with every dollar that is laundered.

The attackers did not begin with direct theft. The Lazarus group always starts with infrastructure preparation.

Approximately 10 hours before the attack, eight newly created wallets were pre-funded via Tornado Cash—a mixer that obscures the connection between fund sources and destinations.

Each wallet received 0.1 ETH to cover Gas fees for all subsequent operations. Since the funds in these wallets originated from a mixer, they have no exchange KYC records or transaction history, and cannot be linked to any known entity. A clean slate.

Before the attack, the attacker initiated three cross-chain transfers from the Ethereum mainnet to Avalanche and Arbitrum—clearly aiming to pre-fund gas on these two L2s and test cross-bridge operations to ensure smooth execution of large transfers.

An independent attack-initiating wallet (0x4966…575e) called the lzReceive function on the LayerZero EndpointV2 contract. Due to the validator being successfully deceived, this call was treated as a legitimate cross-chain message. Kelp’s cross-chain contract, Kelp DAO: RSETH_OFTAdapter (Etherscan address: 0x85d…), subsequently released 116,500 rsETH to 0x8B1.

18% of all circulating rsETH. One function call, gone.

46 minutes later, at 18:21 UTC, Kelp’s emergency multisig paused the protocol. At 18:26 and 18:28 UTC, the attacker attempted two more times using the exact same method, each time trying to steal approximately 40,000 rsETH (about $100 million per transaction). Both attempts were reverted due to Kelp’s timely shutdown. Without this intervention, the total theft could have approached $500 million.

rsETH is a receipt token whose value drops to zero once Kelp suspends the bridge or blacklists the stolen tokens. The attacker had only minutes to convert it into assets that couldn't be frozen. Kelp suspended operations 46 minutes after the theft—too late.

Selling $292 million in illiquid restaking tokens directly on the open market would crash the price by over 30% within minutes, so he chose not to sell, but instead used DeFi lending protocols as a laundering tool to offload them quickly.

The receiving wallet 0x8B1 distributed the 116,500 stolen rsETH among seven other branch wallets. Each branch wallet then proceeded to Aave and Compound V3, depositing a portion of the rsETH as collateral and borrowing ETH.

The cumulative positions for the 7 branches are as follows:

· Deposit collateral: 89,567 rsETH

· Lent: Approximately 82,650 WETH + 821 wstETH, totaling around $190 million in clean, liquid Ethereum assets

· The health factor for each branch is set between 1.01 and 1.03—the absolute upper limit allowed by the protocol before liquidation

The attacker exchanged $292 million worth of tagged, nearly illiquid rsETH for $190 million in ETH. When the rsETH was ultimately marked as nearly worthless—due to Kelp’s cross-chain bridge being insolvent and unable to redeem—depositors in the lending protocol bore the losses.

As the market became aware that Aave held over $2 billion in bad debt, users panicked and withdrew their funds. Aave lost $8 billion in TVL (total value locked) within 48 hours. This largest DeFi lending protocol experienced its first true bank run—triggered by an attacker who used the protocol exactly as it was designed.

After completing the Aave/Compound loans, seven branches push the borrowed ETH to the third-layer aggregated wallet (0x5d3).

The entire operation cluster currently exhibits a clear three-tier structure:

1. Receive: 0x8B1 (also funded via Tornado Cash), receiving the original stolen 116,500 rsETH

2. Action: Seven branch wallets funded via Tornado Cash executed Aave/Compound operations

3. Consolidation: 0x5d3 has aggregated approximately 71,000 ETH in borrowed funds into a unified money laundering process.

The funds are then distributed across two chains:

·75,700 ETH remain on the Ethereum mainnet

·30,766 ETH on Arbitrum (approximately $71 million)

The Arbitrum Security Council voted to freeze this portion of assets on Arbitrum, transferring $71 million to a governance-controlled wallet that can only be unlocked through subsequent governance procedures.

Shortly after the freeze, the hacker transferred the remaining ETH on the mainnet and accelerated the money laundering process. These actions suggest he did not anticipate Arbitrum’s response.

Four days after the attack, 0x5d3 began to empty. Arkham tracked three separate transfers within hours.

The timing was deliberately chosen: European trading hours on Tuesday. U.S. investigators were off duty, European compliance teams were catching up on Monday’s backlog, and Asian exchanges were nearing close.

Subsequently, the transfer pattern began to spread explosively. Each of the first-wave destinations immediately further dispersed: 0x62c7 pushed funds to approximately 60 newly created wallets, and 0xD4B8 pushed to another ~60. Within hours, the originally clean cluster of 10 wallets expanded to over 100 one-time addresses, all funded in parallel, each holding amounts small enough to evade detection.

Lazarus runs HD wallet scripts—using a single mnemonic, thousands of entirely new addresses can be mathematically derived within seconds, paired with a worker pool (Python + web3, ethers.js, or their own internal tools) to sign and broadcast the entire address tree in parallel. They have been iterating on this code since 2018.

By the end of this stage, the linearly traceable chain has disappeared. The cluster of 10 wallets has fragmented into over 100 dispersed wallets, with funds simultaneously entering the privacy pathway through dozens of independent entry points.

The real breakout occurred on THORChain.

THORChain is a decentralized protocol that enables cross-chain native asset swaps. You send ETH on Ethereum, and it returns BTC to you on the Bitcoin network.

On April 22 alone, THORChain's 24-hour trading volume reached $460 million. The protocol's normal daily trading volume is approximately $15 million. This single attack accounted for 30 times the protocol's typical daily volume.

Within the same 24-hour window, the protocol generated $494,000 in revenue, distributed among bonder (node operators), liquidity providers, the development fund, alliance integrators, and the marketing fund.

Meanwhile, funds also flow in parallel through a smaller but complementary set of privacy pathways:

· Umbra: An anonymity protocol on Ethereum that allows funds to be sent to one-time addresses, accessible only by the recipient who can compute the address using a shared key. On-chain observers cannot determine the true destination. Initial activity of approximately $78,000 was traced here, after which the tool lost track.

·Chainflip: Another cross-chain DEX with a model similar to THORChain.

·BitTorrent Chain: A low-cost, low-regulation sidechain connected to Tron.

· Tornado Cash: The same mixer as the initial gas pre-funding. The U.S. Department of the Treasury added it to its sanctions list in 2022.

Each layer of protocol increases the tracking cost by approximately tenfold. After five layers, forensic firms can still theoretically trace every fragment, but the economic cost exceeds the recoverable value.

Using THORChain to convert ETH to BTC is essentially turning money into confetti.

Ethereum uses an account-based model, where your balance is a simple number associated with your address. Bitcoin, however, uses a UTXO (Unspent Transaction Output) model—each UTXO is a discrete chunk of coin with a complete transaction history. Every time you spend Bitcoin, these chunks are split and recombined to form new ones.

Imagine tearing a $100 bill into 87 pieces, then tearing each of those pieces into another 87 pieces, and repeating this process seven times. Technically, each fragment can be traced back to the original bill. In practice, no forensic team could track thousands of parallel chains in real time and piece together the full picture quickly enough to take action.

Thus, THORChain accomplishes two things at once: moving funds across borders that no sanctions can cross, and fragmenting the funds into untraceable dust.

After passing through Bitcoin and the privacy layer, the funds converge again at the same destination: USDT on Tron.

Most people assume the main battlefield for money laundering is BTC, which is incorrect. The real main battlefield is USDT on Tron. Data shows that USDT-Tron annually handles the highest volume of illicit crypto asset transactions, surpassing the combined total of all other chains.

In this Kelp fund flow, the specific path is: bridging BTC into Tron, exchanging it for USDT, and then transferring it multiple times between Tron addresses. Each hop on Tron costs only a few cents, allowing an additional 10 layers of fragmentation to be added.

At the end of every hack, funds are converted into fiat cash through a specific, well-documented network of human intermediaries.

A group of OTC brokers active in mainland China and Southeast Asia accept USDT-Tron deposits and settle in local currency cash. These brokers function as unlicensed underground banks, aggregating funds flows from multiple clients (both compliant and non-compliant), netting them internally, and settling in fiat currency through China’s domestic payment network (UnionPay)—which operates entirely outside the SWIFT system and Western sanctions enforcement.

Funds flow from accounts controlled by these brokers into bank accounts held in the name of shell companies registered in Hong Kong, Macau, or other third-party jurisdictions. From these accounts, the funds are then routed back to Pyongyang through hawala-style informal settlement systems, physical cash transfers, and the procurement of front companies.

The United Nations Security Council, the FBI, and the U.S. Department of the Treasury have all independently documented the final destination of these funds. North Korea’s ballistic missile program, nuclear weapons development, and evasion of international sanctions all rely on the continued flow of such funds.

A 2024 United Nations report estimated that crypto hacks account for approximately 50% of North Korea’s total foreign exchange earnings, making them the primary funding source for North Korea’s weapons programs—exceeding the combined total of coal exports, arms sales, and labor exports.

[Original Title]