Overview
- The breach began when attackers exploited Kelp DAO’s LayerZero bridge configuration to remove about 116,500 rsETH in a April 18 attack that converted to roughly $292–$293 million in losses.
- Arbitrum’s Security Council froze roughly 30,000 ETH — about $71 million — on April 21, creating the only sizable pool still on‑chain and reachable for recovery efforts.
- Blockchain forensics show the perpetrators routed nearly all other accessible funds through THORChain, Wasabi CoinJoin, Tornado Cash and Umbra, leaving roughly $1.7 million still traceable to original attacker wallets.
- Kelp DAO finished compensating users and migrated its rsETH bridge to Chainlink CCIP as part of a wider DeFi move away from the vulnerable LayerZero setup.
- The frozen $71 million is now contested in U.S. courts by parties including families holding judgments against North Korea, and investigators warn the rapid, multi‑service laundering has effectively closed normal on‑chain recovery routes.