From Hack to Market: How Was $2.92 Billion Laundered?
Original Article Title: where did the kelp $292m go? anatomy of a $292m laundering.
Original Article Author: @the_smart_ape
Translation: Peggy, BlockBeats
Editor's Note: On April 18th, Kelp DAO was attacked, and around $292 million worth of assets was stolen. So, in a completely transparent on-chain system, how was this money gradually "laundered" and turned into fungible assets?
This article takes this event as a starting point and dissects a highly industrialized crypto money laundering path: from the preparation of anonymous infrastructure before the attack to severing on-chain links using Tornado Cash; from using Aave, Compound to collateralize "toxic assets" and exchange them for clean liquidity, to exponentially amplifying tracking difficulty through THORChain, cross-chain bridges, and UTXO structure, ultimately flowing into the Tron-based USDT system and being exchanged off-chain for real-world cash.
Throughout this process, there are no complex black-box operations, and almost every step is done "by the book." It is precisely because of this that what is revealed by this path is not a single point of failure but rather the structural tension within the DeFi ecosystem under openness, composability, and un-auditability—the so-called "fund recovery" ceases to be a technical problem and becomes a systemic boundary issue.
Therefore, the Kelp DAO incident is not just a security breach but more like a stress test of the logic of the crypto world's operation: it demonstrates how a hacker can turn your money into their money and why, in principle, this system is challenging to prevent this process.
As you may know, on April 18th, a North Korean hacker stole $292 million from Kelp DAO. Five days later, over half of it had already disappeared, fragmented into thousands of wallets, exchanged through unstoppable protocols, and finally funneled to a very specific destination.
The intriguing part is: how $292 million of traceable stolen crypto assets turned into cash in a Pyongyang pocket without anyone being able to stop it.
The purpose of this article is to reveal why the entire modern crypto money laundering process operates, why it is structurally unstoppable, and what exactly each laundered dollar buys.
Phase One: Setup (Hours Before the Attack)
The attacker did not start with direct theft. The Lazarus group's strategy always begins with infrastructure preparation.
Approximately 10 hours before the attack, 8 brand-new wallets were pre-funded through Tornado Cash—Tornado Cash is a mixer that severs the link between the source and destination of funds.
Each wallet received 0.1 ETH to cover all subsequent Gas fees. Since these wallets' funds came from the mixer, there are no exchange KYC records, no transaction history, no connection to any known entity. A clean slate.
On the eve of the attack, the attacker made 3 cross-chain transfers from the Ethereum mainnet to Avalanche and Arbitrum—clearly to pre-deposit Gas on these two L2s and test the bridge operations to ensure smooth large transfers.
Phase Two: Theft
A separate attack initiator wallet (0x4966…575e) called a function named lzReceive on the LayerZero EndpointV2 contract. Due to a successful validator fraud, this call was treated as a legitimate cross-chain message. Kelp's bridge contract Kelp DAO: RSETH_OFTAdapter (Etherscan address: 0x85d…) then released 116,500 rsETH to 0x8B1.
18% of all circulating rsETH. Vanished in a single function call.
46 minutes later, at 18:21 UTC, Kelp's emergency multisig paused the protocol. At 18:26 and 18:28 UTC, the attacker attempted to operate in the exact same way twice more, each time trying to steal about 40,000 rsETH (roughly $100 million each). Both attempts were rolled back promptly by Kelp. If not for this, the total amount stolen in this incident could have been close to $500 million.
Phase Three: Aave + Compound Operations
rsETH is a voucher token, and once Kelp pauses the bridge or blacklists the stolen tokens, its value drops to zero. The attacker had only a few minutes to convert it to unfreezable assets. Kelp paused 46 minutes after the theft—far too late.
Selling the illiquid restaking token directly on the open market for $292 million would have caused a price slippage of over 30% in a matter of minutes. Therefore, instead of selling, the individual used the DeFi lending protocol as a money laundering tool to quickly offload.
The receiving wallet 0x8B1 then dispersed the 116,500 stolen rsETH into 7 other branching wallets. Each branch subsequently entered Aave and Compound V3, used a portion of the rsETH as collateral, and borrowed ETH.
The cumulative positions of the 7 branches were as follows:
· Collateral Deposited: 89,567 rsETH
· Borrowed: Approximately 82,650 WETH + 821 wstETH, totaling around $190 million of clean, liquid Ethereum assets
· Health factor set between 1.01 to 1.03 for each branch—absolute upper limit allowed by the protocol before liquidation
The attacker exchanged this batch of nearly illiquid rsETH, valued at $292 million, for $190 million worth of ETH. As this batch of rsETH was ultimately marked close to zero (due to Kelp's under-collateralization and inability to redeem), the depositors of the lending protocol suffered losses.
As the market realized that Aave held over $2 billion in bad debt, users engaged in panic withdrawals. Aave lost $8 billion in total value locked (TVL) within 48 hours. This leading DeFi lending protocol faced its first true bank run—a situation precipitated by an attacker leveraging the protocol exactly as designed.
Phase Four: Fund Aggregation and Splitting
After completing the Aave/Compound borrowing, the 7 branches forwarded the borrowed ETH to a third-layer consolidation wallet (0x5d3).
At this point, the entire operation cluster exhibited a clear three-tier structure:
1. Receiving: 0x8B1 (also funded through Tornado Cash), receiving the initial 116,500 stolen rsETH
2. Operation: 7 branch wallets funded by Tornado Cash, conducting Aave/Compound transactions
3. Integration: 0x5d3 consolidating approximately 71,000 ETH in borrowed funds, funneling them into the money laundering process
The funds were then distributed across two chains:
· 75,700 ETH remained on the Ethereum mainnet
· 30,766 ETH on Arbitrum (approximately $71 million)
The Arbitrum Security Council voted to freeze these assets on Arbitrum, transferring the $71 million to a governance-controlled wallet that can only be unlocked through subsequent governance.
Shortly after the freeze, the hacker promptly moved the remaining ETH on the mainnet and accelerated the laundering process. From these actions, it is evident that the hacker did not anticipate Arbitrum's move.
Phase Five: First Wave of Laundering
Four days after the attack, 0x5d3 began to liquidate. Arkham identified 3 distinct transfers within hours.
The timing was deliberate: the European trading hours on a Tuesday. U.S. investigators were still resting, European compliance departments were dealing with Monday's backlog, and Asian exchanges were nearing their close.
Subsequently, the transfer pattern began to exponentially proliferate. Each initial destination immediately cascaded: 0x62c7 funneled to about 60 newly spawned wallets, 0xD4B8 to another 60. Within hours, what was once a neat cluster of 10 wallets expanded to over 100 ephemeral addresses, all simultaneously funded, each holding amounts small enough to evade detection.
Lazarus runs an HD wallet script—a single mnemonic can spawn thousands of brand-new addresses in seconds mathematically, complemented by a worker pool (Python + web3, ethers.js, or their in-house tools) for parallel signing and broadcasting of the entire address tree. This codebase has been iterated on since 2018.
By the end of this phase, the linearly traceable chain had vanished. The operational cluster of 10 wallets exploded into over 100 fragmented wallets, funds simultaneously entering the privacy track from dozens of discrete entry points.
Phase Six: THORChain—The Escape Mechanism
The true breakpoint occurred at THORChain.
THORChain is a decentralized protocol that supports cross-chain native asset swaps. You send ETH on Ethereum, and it gives you back BTC on the Bitcoin network.
On April 22nd alone, THORChain's 24-hour trading volume reached $4.6 billion. The protocol's normal daily trading volume is around $15 million. This hack, in a single day, accounted for 30 times the protocol's normal usage.
Within the same 24-hour window, the protocol generated a total of $494,000 in revenue, distributed among bonders (node operators), liquidity providers, development fund, alliance integrators, and marketing fund.
Simultaneously, funds also flowed through a set of smaller but complementary privacy paths:
· Umbra: A stealth address protocol on Ethereum. Allows funds to be sent to one-time addresses, where only the recipient can derive the address through a shared key. On-chain observers are unaware of the actual destination. Initial activity of approximately $78,000 was traced here before the trail was lost.
· Chainflip: Another cross-chain DEX, similar in pattern to THORChain.
· BitTorrent Chain: A low-cost, low-supervision sidechain connected to Tron.
· Tornado Cash: A mixer similar to the one used for Gas presale. The U.S. Treasury Department sanctioned it in 2022.
With each layer of protocol, the cost of tracking increases by approximately 10 times. After passing through five layers, forensic firms can theoretically still trace every fragment, but the economic cost exceeds the recoverable value.
Phase Seven: Bitcoin UTXO Fragmentation
Completing an ETH to BTC swap via THORChain is essentially turning money into confetti.
Ethereum follows an account model, where your balance is a number attached to an address, straightforward. Bitcoin, on the other hand, uses the UTXO (Unspent Transaction Output) model—each UTXO is a specific block of a coin with a full transaction history. Every time Bitcoin is spent, these blocks are split and recombined to form new blocks.
Imagine tearing a $100 bill into 87 pieces, and then tearing each piece into 87 more pieces, repeating this process 7 times. Technically, each fragment can be traced back to the original bill. In reality, no forensic team could track thousands of parallel chains in real time and piece together the whole picture and take action in a fast enough time frame.
Therefore, THORChain accomplishes two things at once: moving funds across borders that no sanctions can cross and fragmenting funds into untraceable dust.
Phase Eight: Tron USDT Orbit
After Bitcoin and the privacy layer, funds reconverge at one endpoint: USDT on Tron.
Most people think that the main battlefield for money laundering is BTC, but that is incorrect. The real battleground is USDT on Tron. Data shows that the annual volume of illicit crypto asset transactions carried by USDT-Tron ranks first, surpassing the sum of all other chains.
In this flow of funds through Kelp, the specific path is as follows: bridged from BTC to Tron, exchanged for USDT, and then transferred multiple times between Tron addresses. Each hop on Tron has an extremely low cost, only requiring a few cents, to further layer 10 levels of fragmentation.
Phase Nine: Cashout—Cryptocurrency to Fiat
At the endpoint of each hack, funds flow through a specific, traceable human intermediary network to become fiat cash.
A group of over-the-counter (OTC) brokers active in mainland China and Southeast Asia receive USDT-Tron deposits and settle in local fiat cash. These brokers are essentially unlicensed underground banks. They aggregate funds flows from multiple clients (compliant and non-compliant), conduct internal offsetting, and settle in fiat through China's domestic payment network (UnionPay)—completely outside the SWIFT system and Western sanction enforcement reach.
From these broker-controlled accounts, funds flow into banks controlled by North Korea, usually held in the name of shell companies registered in Hong Kong, Macau, or a third-party jurisdiction. From these accounts, funds are routed back to Pyongyang through informal hawala-style clearing, physical cash transportation, and front company purchases.
The United Nations Security Council, FBI, and the U.S. Treasury Department have independently documented the final destination of these funds. North Korea's ballistic missile program, nuclear weapons development, and evasion of international sanctions rely on the continuous support of these fund flows.
A 2024 United Nations report estimated that cryptocurrency hacks account for about 50% of North Korea's total foreign exchange earnings, making it the primary funding source for North Korea's weapons program—surpassing the sum of coal exports, arms sales, and labor exports.
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
