The return of funds after the Kelp DAO hack is becoming increasingly unlikely. According to Arkham and on-chain analysts, the attacker has, over six weeks, almost completely moved out of direct tracking about $220 million that could not be frozen after the attack.
Kelp DAO wallet with hacker tag, total balance.
Only about $1.7 million in traceable assets remain in the wallet linked to the hacker. The rest passed through several routes between networks and mixing services. For victims, this means the main hope now lies not in recovering all stolen funds, but in the frozen portion of $71 million.
The Majority of Funds Went Through Mixers
The attack on Kelp DAO occurred on April 18. At that time, 116,500 rsETH were withdrawn from the protocol, with total losses estimated at $293 million. This incident became one of the largest hacks of the month and sharply increased April’s crypto industry loss statistics.
The unfrozen portion of the funds moved through a complex scheme. According to on-chain analyst Specter, the assets were first converted to bitcoin and passed through Wasabi, then some funds returned to Ethereum and went through Tornado Cash. Such a chain reduces the chances of linking the original assets to the final wallets.
The logic of this scheme is simple. The hacker breaks the transparent transaction history by moving funds between networks and mixing them with other people’s transactions. After that, even a public blockchain no longer provides as clear a picture as in the first days after the hack.
Frozen $71 Million Is the Main Hope for Recovery
Separately, $71 million remains, which the Arbitrum Security Council froze on April 21. These funds did not go through laundering routes and are now the main resource for compensating affected users.
Previously, Kelp DAO management and a US court approved the transfer of the frozen assets to a multisig wallet under Aave’s control. These funds are to be used for rsETH recovery. The next hearing on asset claims is scheduled for Friday in New York.
This is an important episode for the industry. If the frozen portion can be used to restore balances, DeFi will have an example of how protocols, governance structures, and courts can act together after a major attack. At the same time, most of the damage has already moved beyond the reach of a simple technical return.
Kelp DAO Restores rsETH, but the Problem Remains
Kelp DAO has already completed an important stage of restoring its restaked Ether token. The final tranche of 20,373.7 rsETH was sent to the LayerZero smart contract, which is responsible for locking, minting, burning, and unlocking the token during cross-chain transfers.
This step helped stabilize rsETH itself after the attack. However, restoring the token does not equal returning all stolen funds. The protocol can restore infrastructure functionality, but it cannot automatically retrieve assets that have already gone through bitcoin mixers and Tornado Cash.
That is why the Kelp DAO case has become illustrative for DeFi. Technical recovery can be successful, but the financial loss for users still remains partially irrecoverable. The faster the hacker covers their tracks, the less room there is for recovery.
May Statistics Improved, but Risk Remains
In May, losses from crypto hacks dropped sharply. According to CertiK, exploit losses totaled $68.3 million, almost 90% less than in April. Phishing attacks accounted for about $2.6 million, and about $9.4 million was recovered or restored.
These statistics look better, but they do not change the overall conclusion. One major hack can quickly erase positive momentum and put DeFi security back at the center of discussion. Kelp DAO was just such a case.
After the attack, many protocols began to review their cross-chain infrastructure. The main question now is not only which bridge or oracle is used, but how many layers of verification stand between a configuration error and the loss of assets.
Protocols Move to Chainlink CCIP
After the hack, some projects began changing their cross-chain solutions. Solv Protocol and Tydro switched to Chainlink Cross-Chain Interoperability Protocol (CCIP), aiming to improve the reliability of message verification between networks.
Kelp DAO also moved rsETH to Chainlink CCIP. The project abandoned its previous LayerZero-based scheme after linking the incident to weaknesses in its cross-chain setup. This does not mean automatic admission of fault by the infrastructure provider, but it shows that the market has started to change critical elements more quickly after major attacks.
LayerZero stated that the cause of the hack was related to Kelp DAO’s implementation. According to the company, the project used a single DVN as the only confirmed path, although such a configuration was not previously recommended. This is the main lesson: even strong infrastructure becomes vulnerable if the project leaves a single critical point of failure in the system.
One Weak Element Can Cost Hundreds of Millions
The Kelp DAO story shows how costly mistakes in cross-chain architecture can be. When a protocol operates in multiple networks at once, security depends not on a single contract, but on the entire chain of checks, bridges, validators, and emergency procedures.
If one part of this chain becomes the only confirmation channel, the risk rises sharply. A hacker only needs to find a weak spot in the setup to access assets users thought were protected. After that, a race begins between protocol teams, analysts, courts, and the services through which funds are withdrawn.
For users, this changes the criteria for evaluating DeFi projects. Yield and TVL size are no longer enough. Security architecture is becoming increasingly important: who verifies cross-chain messages, how many confirmation layers are used, and whether there is a quick freeze mechanism for funds.
What’s Next?
The next developments depend on the court in New York and the fate of the frozen $71 million. This amount remains the main source of possible compensation after the unfrozen $220 million passed through complex laundering routes.
For Kelp DAO, the task is now broader than restoring rsETH. The protocol needs to regain user trust and prove that the new infrastructure reduces the risk of a repeat attack. For all of DeFi, this case is another reminder: cross-chain solutions remain one of the most vulnerable parts of the market.
Even the drop in hacks in May does not eliminate this problem. Hackers have become faster at moving assets, and protocols often react only after most funds have gone through mixers. Until this changes, every major exploit will turn not only into a technical incident, but also into a long struggle for the remaining liquidity.
Read More: Polymarket Faces Dispute Over BTC Strategy Sale
