Kelp DAO Hacker Launders $220M, Recovery Prospects Dwindle
The hacker behind April’s $293 million Kelp DAO exploit has successfully laundered $220 million of the stolen funds, according to data from blockchain analytics firm Arkham. Only $71 million remains frozen, thanks to action by Arbitrum’s Security Council, leaving little hope for recovering the majority of the stolen assets.
The attack, which siphoned off 116,500 Kelp DAO restaked ETH (rsETH), represented about 18% of the token's circulating supply. The hacker used a two-step laundering process: bridging stolen funds to Bitcoin via Wasabi crypto mixer, then returning to Ethereum and obfuscating further withdrawals through Tornado Cash. Arkham data shows just $1.7 million traceable in the hacker-tagged wallet as of June 1.
The frozen $71 million is now a focal point of a legal battle. A governance proposal and subsequent U.S. court order approved the transfer of the frozen funds to a multi-signature wallet controlled by Aave for recovery purposes. A court hearing in New York later this week could decide the ownership of these funds.
A Blow to DeFi Security
The exploit has cast a long shadow over decentralized finance (DeFi), raising alarms about the security of cross-chain infrastructures. Kelp DAO attributed the breach to vulnerabilities in its LayerZero-powered bridge. The protocol has since migrated its rsETH token to Chainlink’s Cross-Chain Interoperability Protocol (CCIP), citing increased security. LayerZero, however, countered that the hack stemmed from Kelp DAO’s reliance on a single data validation node, despite warnings against such configurations.
In the wake of the incident, other DeFi platforms, including Solv Protocol and Tydro, followed suit, abandoning their previous setups in favor of Chainlink’s CCIP. These moves underscore the industry’s ongoing struggle to balance innovation with robust security measures.
Market Impact
Despite the hack, Kelp DAO’s token, rsETH, has shown resilience, trading at $2,243.56 as of June 1, with a market capitalization of $1.37 billion. This suggests that the broader market still sees the protocol’s liquid restaking model as valuable, even as questions linger about the safety of cross-chain protocols. Notably, Kelp DAO does not currently offer a governance token, limiting direct market speculation on the project’s recovery efforts.
The April hack contributed to one of the highest monthly crypto exploit losses in recent memory, totaling $630 million across the sector. However, May saw a sharp decline in exploits, with losses dropping 90% to $68.3 million, according to CertiK. Yet the Kelp DAO attack remains a stark reminder of the systemic risks that still plague DeFi.
What’s Next?
While Kelp DAO has restored its rsETH token functionality, the odds of recovering the laundered $220 million are slim. The upcoming court hearing on the frozen $71 million will be critical for determining whether any restitution can be made to affected users.
Meanwhile, the hack is likely to fuel further scrutiny of cross-chain protocols and prompt more projects to reexamine their infrastructure. With $293 million in damages and lingering legal battles, Kelp DAO’s exploit serves as a cautionary tale for the DeFi ecosystem.