Laundering of the proceeds from Saturday’s $290 million rsETH hack is effectively and actually underway, and state-sponsored North Korean hacking collective Lazarus Group is suspected to be behind the theft, given the commingling of funds with different TraderTraitor-related hacks, BTC Turk and ByBit.
As with earlier incidents, the culprits have taken to funneling huge volumes by way of blockchain bridges. The instruments used thus far even embody LayerZero, the bridging protocol from which the $290 million rsETH had been initially stolen.
LayerZero is getting used to launder proceeds from the Layerzero/KelpDAO hack.
$500K was simply moved by way of LZ.
Deal with:
0x4D5A08A96D644d7CA7F4541E1512a53D55aA5842
Vacation spot:
TLTCf565jGgSeCsUhBpWuPhrrHcGGX9ekT
— Specter (@SpecterAnalyst) April 22, 2026
The efforts started shortly after Arbitrum’s Safety Council rescued over 30,000 ether (ETH), slashing the hackers’ realized revenue from $245 million to round $175 million.
One on-chain analyst, who goes by “Specter,” claims to have tracked over 1,600 transactions by way of 370 addresses within the first 12 hours of laundering. That’s a mean of 1 transaction each 25 seconds.
As of Wednesday morning, they tallied $116 million as having been laundered to bitcoin (BTC), with one other pockets at present holding $61 million nonetheless to go.
Blended reactions
The tasks behind the bridges themselves have responded in another way to the ill-gotten positive factors flowing by way of their tech.
THORChain, as normal, washed its fingers of accountability, with various levels of diplomacy.
THORChain was modelled after Bitcoin, to be permissionless and censorship resistant.
There’s no single individual or entity answerable for the protocol. There’s no admin key. There’s no 2-of-3 multisig. At present, there’s 95 nodes unfold globally that management the community. For the… pic.twitter.com/Za2Obrh9dO
— THORChain (@THORChain) April 21, 2026
Specter estimates that 99% of the laundered funds flowed by way of THORChain, whose dashboard reveals over $100,000 of affiliate charges earned on Tuesday.
Whereas THORChain’s bridging infrastructure is decentralized throughout a community of 95 lively nodes, affiliate charges come from use of its entrance finish. Blockchain investigator Tanuki42 places the current charges at greater than double year-to-date income.
In trying to defend THORChain’s lack of ability to forestall illicit use, founder JP let slip that the protocol held an admin key for a few years.
Did you actually simply by accident say that Thorchain was centralized for all of these years whereas DPRK laundered hundred of hundreds of thousands whereas raking in hundreds of thousands of charges with an admin key you held in your possession?.
Can not wait till your publish reveals up in an court docket indictment one…
— ZachXBT (@zachxbt) April 22, 2026
No let up
The DeFi sector has confronted two catastrophic hacks thus far this month, with mixed losses of effectively over half a billion {dollars}.
On high of this, a slew of smaller incidents additionally proceed to batter group morale.
Whereas DeFi customers and builders alike are nonetheless reeling from the fallout of Saturday’s incident, simply final night time an additional $3.5 million was misplaced.
🔒 Safety Incident Replace – Volo Protocol
We wish to tackle our group immediately and transparently a couple of safety incident that occurred earlier at present. Relaxation assured, Volo is ready to soak up any loss.
What occurred:
An exploit resulted within the elimination of roughly…
— Volo (@volo_sui) April 21, 2026
Because the hack, Volo has supplied two separate updates, informing customers it had recovered $500,000, after which 19.6 BTC ($1.3 million).
As if close to fixed multi-million greenback hacks weren’t sufficient to fret about, ongoing phishing campaigns proceed to hook victims.
In a span of simply 11 hours, 4 victims reportedly misplaced nearly $600,000 to the identical drainer contract.
