Introduction: On April 18, Kelp DAO suffered a breach resulting in the theft of approximately $292 million in assets. But within a fully transparent on-chain system, how exactly was this money systematically "laundered" into spendable value?

This article uses this incident as a lens to dissect a highly industrialized crypto laundering pipeline: from anonymous infrastructure preparedness before the attack, to leveraging Tornado Cash to sever on-chain linkages; from utilizing Aave and Compound to collateralize "tainted assets" and extract clean liquidity, to exploiting THORChain and cross-chain bridges combined with UTXO structures to exponentially amplify tracking difficulty—ultimately funneling funds into Tron’s USDT ecosystem and converting them into fiat cash via over-the-counter (OTC) networks.

In this process, there were no complex black-box operations—almost every step followed protocol rules. Precisely because of this, the path revealed is not a single-point vulnerability, but rather a structural tension inherent in DeFi’s open architecture, composability, and censorship resistance. When protocol design itself permits such operations, "recovering funds" ceases to be a technical challenge and becomes a systemic boundary issue.

The Kelp DAO incident is thus not merely a security breach—it functions as a stress test of crypto’s operational logic: it demonstrates how hackers can turn your money into theirs, and why, in principle, this process is nearly impossible to stop within the current system.

As you know, on April 18, a North Korean hacker stole $292 million from Kelp DAO. Five days later, more than half had already vanished—fragmented across thousands of wallets—converted through non-pauseable protocols and ultimately funneled into a very specific destination.

The intriguing part lies in how $292 million of traceable stolen crypto assets could be transformed into cash in Pyongyang’s pocket—with no one able to stop it.

The purpose of this article is to reveal how modern crypto laundering operates in full, why it is structurally unpreventable, and what each dollar gains after being washed clean.

Phase One: Preparation (Hours Before the Attack)

The attacker did not begin with direct theft. The Lazarus Group’s modus operandi always starts with infrastructure setup.

About 10 hours before the attack, eight brand-new wallets were pre-funded via Tornado Cash—a mixer that severs links between source and destination addresses.

Each wallet received 0.1 ETH, used to cover all subsequent Gas fees. Since these wallets’ funds originated from a mixer, they carry no exchange KYC records or transaction history, making them untraceable to any known entity—clean slates.

Shortly before the attack, the perpetrator initiated three cross-chain transfers from Ethereum mainnet to Avalanche and Arbitrum—clearly intended to pre-fund Gas on these two L2s and test bridge operations to ensure smooth execution during large-scale transactions.

Phase Two: Theft

A dedicated attack initiation wallet (0x4966…575e) invoked the `lzReceive` function on LayerZero EndpointV2 contract. Due to successfully deceived validators, this call was treated as a legitimate cross-chain message. Consequently, Kelp’s cross-chain adapter contract Kelp DAO: RSETH_OFTAdapter (Etherscan address: 0x85d…) immediately released 116,500 rsETH to 0x8B1.

18% of all circulating rsETH. One function call. Gone.

46 minutes later, at UTC 18:21, Kelp’s emergency multisig paused the protocol. At UTC 18:26 and 18:28, the attacker attempted identical operations twice more, each time trying to steal ~40,000 rsETH (approx. $100 million per transaction). Both attempts were rolled back due to Kelp’s timely shutdown. Had it not been for this intervention, the total theft could have approached $500 million.

Phase Three: Aave + Compound Operations

rsETH is a receipt token—its value collapses to zero once Kelp suspends cross-chain functionality or blacklists the stolen tokens. The attacker had only minutes to convert it into frozen-resistant assets. Kelp paused 46 minutes after the theft—too late.

Selling $292 million in illiquid restaking tokens directly on public markets would crash prices by over 30% within minutes. So instead, he repurposed DeFi lending protocols as laundering tools, rapidly offloading the assets.

The receiving wallet 0x8B1 distributed the 116,500 stolen rsETH across seven downstream wallets. Each then entered Aave and Compound V3, depositing part of the rsETH as collateral and borrowing ETH.

Total positions across the seven branches:

· Collateral deposited: 89,567 rsETH

· Borrowed: ~82,650 WETH + 821 wstETH, totaling ~$190 million in clean, liquid Ethereum assets

· Health factor set to 1.01–1.03 for each branch—the absolute maximum allowed by protocol before liquidation

Using $292 million in marked, nearly worthless rsETH, the attacker obtained $190 million in ETH. When these rsETH are eventually marked as near-zero (due to Kelp’s cross-chain insolvency and inability to redeem), the losses fall on the protocol’s depositors.

As market awareness grew that Aave held over $200 million in bad debt, panic-driven withdrawals ensued. Aave lost $8 billion in TVL (Total Value Locked) within 48 hours. The largest DeFi lending protocol experienced its first true bank run—triggered entirely by an attacker operating strictly within protocol specifications.

Phase Four: Fund Consolidation & Fragmentation

After completing Aave/Compound borrowing, the seven branches pushed their borrowed ETH to a third-layer consolidation wallet (0x5d3).

The entire operation cluster now displayed a clear three-tier structure:

1. Receiving: 0x8B1 (also pre-funded via Tornado Cash), receiving the original 116,500 rsETH theft

2. Operational: Seven branch wallets, each pre-funded via Tornado Cash, executing Aave/Compound operations

3. Consolidation: 0x5d3 aggregates ~71,000 ETH in borrowed funds, centralizing them into the laundering pipeline

Funds were subsequently distributed across two chains:

· 75,700 ETH remained on Ethereum mainnet

· 30,766 ETH on Arbitrum (~$71 million)

The Arbitrum Security Council voted to freeze the Arbitrum portion, transferring $71 million to a governance-controlled wallet locked until future governance unlocks.

Shortly after freezing, the hacker immediately transferred the remaining ETH on mainnet and accelerated the laundering process. These actions suggest the attacker did not anticipate Arbitrum’s response.

Phase Five: First Wave of Laundering

Four days after the attack, wallet 0x5d3 began clearing out. Arkham tracked three distinct transfers within hours.

Timing was deliberately chosen: European trading hours on Tuesday. U.S. investigators were still off-duty, European compliance teams were handling Monday’s backlog, and Asian exchanges were nearing close.

Then, the transfer pattern exploded. Each initial destination immediately propagated further: 0x62c7 pushed funds to ~60 newly generated wallets, 0xD4B8 to another ~60. Within hours, the originally clean 10-wallet cluster expanded into over 100 one-time-use addresses, all simultaneously funded, each holding amounts too small to trigger detection.

Lazarus ran HD wallet scripts—using a single mnemonic, thousands of new addresses can be mathematically derived in seconds—combined with a worker pool (Python + web3, ethers.js, or proprietary internal tools) to parallel-sign and broadcast the entire address tree. This codebase has been iterated since 2018.

By the end of this phase, linear traceability had vanished. The 10-wallet cluster exploded into over 100 fragmented wallets, with funds simultaneously entering privacy channels from dozens of independent entry points.

Phase Six: THORChain — The Escape Machine

The critical break occurred at THORChain.

THORChain is a decentralized protocol enabling native cross-chain asset swaps. Send ETH on Ethereum, receive BTC on Bitcoin network.

On April 22 alone, THORChain’s 24-hour volume reached $460 million—30 times its normal daily average of ~$15 million. This single attack accounted for 30× the protocol’s typical usage.

Within the same 24-hour window, the protocol generated $494,000 in revenue, distributed among bonder nodes, liquidity providers, development fund, alliance integrators, and marketing fund.

Meanwhile, funds also flowed in parallel through a set of smaller but complementary privacy pathways:

· Umbra: An on-chain stealth address protocol on Ethereum. Allows sending funds to ephemeral addresses, recoverable only by the recipient using a shared secret key. On-chain monitors cannot determine the real destination. Initial activity (~$78,000) was traced, but tools lost track shortly thereafter.

· Chainflip: Another cross-chain DEX, operating under a similar model to THORChain.

· BitTorrent Chain: A low-cost, lightly regulated sidechain connected to Tron.

· Tornado Cash: The same mixer used for initial Gas pre-funding. Listed under sanctions by the U.S. Treasury in 2022.

Each layer increases tracing cost by roughly 10×. After five layers, while forensic firms can theoretically trace every fragment, the economic cost exceeds the recoverable value.

Phase Seven: Bitcoin UTXO Fragmentation

Completing ETH-to-BTC swaps via THORChain effectively turns money into confetti.

Ethereum uses an account model—your balance is a number attached to an address, simple and direct. Bitcoin differs—it uses the UTXO (Unspent Transaction Output) model. Each UTXO is a discrete coin chunk with a complete transaction history. Every Bitcoin spending splits and reassembles these chunks into new outputs.

Imagine tearing a $100 bill into 87 pieces, then tearing each piece into 87 more, repeating this seven times. Technically, every fragment traces back to the original bill. Practically, no human forensic team can track thousands of parallel chains in real time and reconstruct the full picture fast enough to act.

Thus, THORChain simultaneously achieved two things: crossing borders beyond any sanction’s reach, and fragmenting funds into untraceable dust.

Phase Eight: Tron USDT Pipeline

After Bitcoin and privacy layers, funds reconverge at a single endpoint: USDT on Tron.

Most assume the primary laundering battlefield is BTC—this is incorrect. The true battleground is USDT on Tron. Data shows USDT-Tron annually handles the highest volume of illicit crypto transactions, surpassing the sum of all other chains combined.

In this Kelp DAO flow, the path was: BTC bridged to Tron, converted to USDT, then shuffled multiple times across Tron addresses. Each hop on Tron costs mere fractions of a cent—enabling the addition of ten more layers of fragmentation.

Phase Nine: Withdrawal — Crypto to Cash

Every hacking attack ends with funds passing through a specific, well-documented network of human intermediaries to become fiat cash.

A group of OTC brokers active in mainland China and Southeast Asia accepted USDT-Tron deposits, settling in local currency cash. These brokers function as unlicensed underground banks. They aggregate funds from multiple clients (compliant and non-compliant), net them internally, and settle in fiat via China’s domestic payment network (UnionPay)—operating entirely outside the SWIFT system and Western sanctions enforcement.

From accounts controlled by these brokers, funds flow into North Korea-controlled bank accounts—typically held under shell companies registered in Hong Kong, Macau, or third-party jurisdictions. From there, funds are routed back to Pyongyang through informal hawala-style settlements, physical cash shipments, and procurement of front companies.

The UN Security Council, FBI, and U.S. Treasury have independently documented the final destinations of these funds. North Korea’s ballistic missile program, nuclear weapons development, and evasion of international sanctions rely entirely on the sustained flow of such capital.

The 2024 UN report estimates that crypto hacking attacks account for about 50% of North Korea’s total foreign exchange income, making it the primary funding source for its weapons programs—surpassing coal exports, arms sales, and labor exports combined.

[Original Title]

Source: BlockBeats