
On-chain analysts Specter monitoring shows that on April 22, the North Korean hacker group TraderTraitor began money-laundering operations using the stolen funds from KelpDAO—only three hours after the Arbitrum Security Committee froze approximately 30,766 ETH. The attackers routed the funds via the THORChain bridge to the Bitcoin network, causing daily transactions to exceed 10 times the 30-day daily average.
(Source: Arkham)
The attackers split the remaining funds across three wallets: the first held about 25k ETH (about $57.6 million), the second held about 25.7k ETH (about $59.2 million), and the third began laundering immediately after receiving the funds and currently has only about 3,800 ETH left (about $8 million).
During the laundering process, the stolen funds were mixed with the illicit proceeds from the BTC Turk (2025) and Bybit (2025) hacker incidents—this is a typical operational pattern for the TraderTraitor organization. By integrating funds from multiple incidents, it increases the difficulty of on-chain tracking. Specter noted that although it traced 356 related addresses, some intermediary wallets were not included in the statistics; the total number of addresses used throughout the process exceeds 400.
According to Messari’s analysis, the root cause of this attack lies in the LayerZero EndpointV2 1:1 DVN configuration, which allows attackers to forge cross-chain messages. After compromising two LayerZero DVN nodes, the attackers simulated the rsETH burn and triggered 116,500 unauthorized releases of rsETH.
The downstream impact spread rapidly across the entire DeFi ecosystem: estimated Aave bad debt ranges from $123.7 million to $230.1 million; TVL fell from about $45.8 billion to $35.7 billion; overall DeFi TVL declined by more than $13.0 billion within 48 hours; the AAVE token dropped by about 25%; and the WETH market reached 100% utilization, triggering a $6.2 billion outflow of funds.
The main response measures include: the Arbitrum Security Committee freezing approximately 30,766 ETH; Kelp pausing all rsETH contracts on the mainnet and the L2 layer; and LayerZero prohibiting the future use of the 1:1 DVN configuration. Kelp is currently considering implementing a 16% proportional loss compensation measure for rsETH holders, but Messari pointed out that this could affect affected users’ confidence in the affected protocols and the pace of recovery.
THORChain is a permissionless cross-chain liquidity protocol that allows asset swaps between different blockchains without requiring KYC verification. In the earlier Bybit hacker incident, TraderTraitor also used the same THORChain channel, indicating that it has become the fixed operating pattern of the North Korean hacker group after large-scale theft.
Mixing funds is a standard money-laundering technique: after combining stolen funds from multiple incidents, it makes it harder for trackers to identify the original source and destination/ownership of specific funds. During the circulation of the stolen KelpDAO funds through THORChain, they were already mixed with illicit funds from the 2025 BTC Turk and Bybit hacker incidents, forming a funding trail that is even harder to unravel.
If the compensation plan is ultimately confirmed, rsETH holders will bear approximately 16% of the loss according to their position size—meaning that for every 100 rsETH, the nominal value of assets will be discounted by about 16%. The compensation mechanism can help partially mitigate losses for affected users, but it may also affect how quickly the market restores confidence in rsETH and the Kelp protocol overall.
Related Articles
Ondo Team Moves $34M in Tokens to New Wallet Amid Potential Selloff Concerns
Abraxas Capital Adds 54 BTC, Expanding Long Position to $5M on Hyperliquid
BitMine Stakes $141.95M ETH via Coinbase Prime
Bitcoin Breaks Through $78,000, Ethereum Hits $2,390: Market Panic Eases