Kelp DAO Hacker Launders Nearly $220 Million as Recovery Prospects Diminish

Efforts to recover funds stolen in the massive Kelp DAO exploit have suffered a major setback after the attacker laundered nearly all of the unfrozen assets. Blockchain tracking data shows that only about $1.7 million remains directly traceable, while approximately $220 million has been moved through multiple channels designed to obscure its origin.

The exploit occurred on April 18, when the attacker drained 116,500 restaked Ether (rsETH) tokens, resulting in losses of roughly $293 million. The incident was one of the largest crypto security breaches of 2026 and significantly contributed to April’s surge in hacking-related losses across the digital asset sector.

Arkham reported that the stolen funds were moved through several stages. The attacker allegedly bridged assets into Bitcoin using the Wasabi mixing service before returning them to Ethereum. The funds were then routed through Tornado Cash, a protocol commonly used to obscure transaction trails.

Certik believe this laundering process has substantially reduced the likelihood of recovering the remaining unfrozen assets.

Frozen Funds Remain Under Legal Review

While most of the stolen funds have been moved, approximately $71 million was frozen by Arbitrum’s Security Council shortly after the exploit. A governance proposal and a U.S. court order approved the transfer of those frozen assets to an Aave-controlled wallet as part of the rsETH recovery effort.

A court hearing regarding ownership claims linked to the frozen funds is scheduled for later this week in New York.

DeFi Security Concerns Continue Despite Lower Hack Losses

Although cryptocurrency exploit losses fell sharply to $68.3 million in May, nearly 90% lower than April levels, the Kelp DAO incident continues to raise concerns across the decentralized finance sector.

Following the exploit, several projects reviewed their security infrastructure. Solv Protocol, Tydro and Kelp DAO all shifted to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) in search of stronger cross-chain security.

Kelp DAO attributed the exploit to weaknesses in its previous cross chain setup. However, LayerZero stated that the incident stemmed from Kelp DAO’s implementation choices, arguing that the protocol relied on a single verification path despite prior warnings about potential security risks.