Kelp DAO Hacker Launders $220 Million in Stolen Funds, Weakening Recovery Prospects

Most of the Kelp DAO hacker’s unfrozen proceeds have now been laundered, sharply reducing the odds of recovering the stolen funds outside the assets frozen by the Arbitrum Security Council.

Cointelegraph reported on June 1 that the attacker laundered about $220 million in unfrozen funds over the past six weeks. Blockchain data firm Arkham said wallets still traceable to the attacker now hold about $1.7 million.

The attack took place on April 18. The hacker stole 116,500 of Kelp DAO’s restaked Ether token, rsETH, and total losses were estimated at $293 million. The breach lifted crypto hacking losses in April to $630 million.

On-chain analyst Spector said the attacker laundered the funds in two stages. The hacker first used crypto mixer Wasabi to bridge the assets into Bitcoin, then moved them back to Ethereum and repeatedly cycled deposits and withdrawals through Tornado Cash.

Some of the funds remain frozen. The Arbitrum Security Council froze $71 million on April 21. A governance proposal and a US court order later approved a plan to transfer the assets to a multisignature wallet managed by Aave. The next hearing on ownership of the frozen funds is scheduled for Friday in New York.

Kelp DAO previously said it had completed restoration of the rsETH token after five weeks of recovery work. The final tranche, 20,373.7 rsETH, was sent to a LayerZero smart contract responsible for locking, minting, burning and unlocking rsETH during cross-chain transfers.

Crypto hacking losses fell sharply in May from the previous month. Security firm CertiK said losses from crypto attacks totaled $68.3 million in May, down about 90% from April. Phishing attacks accounted for about $2.6 million, while $9.4 million was recovered or returned.

Even so, the Kelp DAO hack renewed concerns over DeFi security. After the attack, Bitcoin DeFi platform Solv Protocol and liquidity protocol Tydro migrated to Chainlink’s Cross-Chain Interoperability Protocol, or CCIP. Kelp DAO also moved rsETH from its LayerZero-based bridge to Chainlink CCIP.

LayerZero rejected claims that the attack was caused by a flaw in its own protocol. It said the breach stemmed from a single point of failure in Kelp DAO’s implementation. The company added that Kelp DAO had relied on only a single LayerZero DVN as its verification path despite prior warnings.