From Theft to Re-entry: How Was $292 Million "Laundered"?
A sophisticated crypto laundering operation was executed following the $292 million hack of Kelp DAO on April 18. The attack, attributed to the North Korean Lazarus group, began with anonymous infrastructure preparation using Tornado Cash to fund wallets untraceably.
The hacker exploited a vulnerability in Kelp’s cross-chain bridge, stealing 116,500 rsETH. To avoid crashing the market, the attacker used Aave and Compound as laundering tools—depositing the stolen rsETH as collateral to borrow $190 million in clean, liquid ETH. This move triggered a bank run on Aave, causing an $8 billion drop in TVL.
After consolidating funds, the attacker fragmented them across hundreds of wallets to evade detection. A major breakpoint was THORChain, where over $460 million in volume—30 times its usual activity—was processed in 24 hours, converting ETH into Bitcoin. This shift to Bitcoin’s UTXO model exponentially increased tracing complexity by shattering funds into countless untraceable fragments.
The final destination was Tron-based USDT, the primary channel for illicit crypto flows. From there, funds were cashed out via OTC brokers in China and Southeast Asia, using unlicensed underground banks and UnionPay networks outside Western sanctions scope. Ultimately, the laundered money supports North Korea’s weapons programs, which rely heavily on crypto hacking for foreign currency.
The incident underscores structural challenges in DeFi: its openness, composability, and lack of central control make such laundering not just possible, but inherently difficult to prevent.
marsbit04/26 07:12
