The Kelp DAO hacker has laundered roughly $220 million in just six weeks. As of June 1, only $1.7 million remains traceable in the exploiter's wallet. The window for any voluntary return has effectively closed.
Two-Layer Laundering Method
The exploiter used a sequential two-step approach. First, stolen funds were converted and routed through Wasabi, a Bitcoin mixer built on the CoinJoin protocol. CoinJoin combines transactions from multiple participants into a single joint transaction, making it extremely difficult to identify the real sender and recipient. Wasabi automates this process without requiring trust in any central operator.
After passing through Wasabi, the funds returned to the Ethereum network and went through Tornado Cash. This deposit-based mixer breaks the link between sending and receiving addresses through a smart contract: funds go in as an anonymous deposit and come out to a fresh address with no traceable connection. OFAC added Tornado Cash to its sanctions list in 2022, but the protocol remains technically accessible.
Both layers were tracked by onchain analyst Specter and blockchain data provider Arkham Intelligence. The full laundering cycle took six weeks, averaging roughly $5.2 million per day through two anonymization layers. The original exploit happened on April 18, 2026, when 116,500 rsETH were drained from Kelp DAO. April became the worst month for DeFi exploits on record, with industry-wide losses reaching $630 million.
What Remains of the $293 Million
The exploiter's trackable wallet now holds only $1.7 million. The remaining $220 million has been scattered across addresses with no clear onchain trail after two mixing layers. The probability of reconstructing the fund route is near zero. That effectively ends any realistic hope for out-of-court recovery.
The Arbitrum Security Council acted quickly, and the freeze happened four days after the exploit. A US court later issued an order allowing those assets to be transferred to an Aave-controlled multisig wallet pending resolution of the case. This is standard legal asset preservation ahead of a court decision.
Of the original $293 million, $71 million remains within legal reach. The other $222 million is effectively gone from investigators' view.
Why the Restaking Sector Faces Scrutiny
Kelp DAO is one of the leading restaking protocols built on Ethereum. Restaking lets ETH holders simultaneously secure multiple protocols and earn higher yields, but adds technical complexity at every layer. The sector attracted more than $20 billion by early 2026.
The attack exploited cross-chain infrastructure. The vulnerability was in a LayerZero contract responsible for moving rsETH between networks. No public audits had flagged this specific vector as a critical risk before the exploit. Cross-chain layers receive less thorough review than core protocol contracts. That gap in scrutiny proves expensive.
May data provides partial relief. According to CertiK, DeFi losses in May dropped to $68.3 million from $630 million in April, down nearly 90%. But that is a statistical bounce after an anomalous month, not a sign that April's stolen funds came back. The Kelp DAO money is not counted in those May figures.
Friday's Hearing and the Fate of $71 Million
A New York court hearing on ownership of the frozen $71 million is scheduled for Friday. If the court confirms the transfer of funds to the Aave-managed multisig, distribution proceedings for affected rsETH holders will begin. Kelp DAO's team will announce compensation details after the ruling.
Separately, the protocol has already completed its five-week rsETH recovery program. The final tranche (20,373.7 rsETH) was sent to the LayerZero contract responsible for locking, minting and releasing the token during cross-chain transfers. Kelp DAO has restored technical functionality.
If the court rules in the team's favor, affected holders can expect to recover roughly 24% of what was stolen. Not much. But more than what victims in most DeFi exploits see, which is often nothing at all.
What This Means for DeFi Participants
This case confirms several points that security auditors have raised for years. Cross-chain bridges and inter-protocol integration layers remain the most exploitable part of DeFi architecture. Most major exploits in 2025-2026 came through this layer, not through core protocol logic. Centralized emergency mechanisms, like Arbitrum's Security Council, genuinely save a portion of funds when activated quickly. And legal recovery takes months, not weeks.
Those holding assets in restaking protocols should check whether their protocol has a network-level emergency freeze mechanism. In Kelp DAO's case, four days was enough to save $71 million. But $220 million was already gone before the Security Council could act.
The broader picture: Tornado Cash and Wasabi continue to operate despite regulatory pressure. Combined with cross-chain bridging, laundering large sums remains a viable path for any major DeFi exploiter. As long as Bitcoin mixers and Ethereum anonymization protocols remain technically accessible, criminal demand for them will not go away.
Comments
Your email address will not be published. Required fields are marked *