Key Takeaways:
Hackers linked to North Korea's Lazarus Group are actively laundering $290 million in crypto stolen from DeFi protocol KelpDAO, moving funds across the Ethereum and Bitcoin networks.
On-chain data from analysts including ZachXBT and firms like Arkham and PeckShield confirmed the fund movements, which began during European hours on Tuesday.
The laundering involves two large transfers of $117 million and $58 million on Ethereum, with at least $1.5 million bridged to Bitcoin via THORChain and smaller amounts routed through privacy protocol Umbra, according to blockchain investigators.
The exploit, one of the largest in 2026, highlights persistent security risks in DeFi and has prompted a partial freeze of funds, putting pressure on the attackers to move the remaining $175 million before it can be secured.
The incident began on April 18 when attackers exploited the liquid restaking protocol KelpDAO, draining 116,500 rsETH tokens valued at approximately $290 million. The attack vector involved compromising servers in the LayerZero messaging protocol, which KelpDAO used for cross-chain communication. By feeding forged messages, the hackers authorized the illicit transfer. A public dispute has since emerged, with LayerZero blaming KelpDAO's specific "single-DVN" security setup, a characterization KelpDAO has contested.
Following the theft, the attackers began a sophisticated laundering operation. The techniques—using cross-chain bridges like THORChain and privacy tools like Umbra—are consistent with methods previously attributed to the Lazarus Group. The operation involves splitting the funds and moving them through multiple channels to obscure their origin.
In a significant intervention, the Arbitrum Security Council, acting on information from law enforcement, froze 30,766 ETH (worth over $71 million) linked to the exploit before it could be bridged off its network. This action, while praised by some for recovering a substantial portion of the funds, also sparked debate about the level of centralization and emergency powers within layer-2 ecosystems.
The partial freeze appears to have forced the attackers' hand, accelerating their efforts to launder the remaining $175 million. On-chain data shows funds being actively routed from Ethereum to Bitcoin, suggesting a race to move assets beyond the reach of centralized freezes.
Investigators are closely tracking the flow of funds to wallets associated with the Lazarus Group subgroup known as TraderTraitor. The scale of the hack and the sophisticated laundering techniques are likely to trigger a strong response from regulators, who may increase scrutiny on cross-chain bridges and privacy mixers as key channels for illicit fund flows. The incident serves as a critical test for both law enforcement's on-chain tracing capabilities and the DeFi community's ability to respond to and mitigate large-scale security breaches.
This article is for informational purposes only and does not constitute investment advice.
