Lazarus Group Allegedly Launders $290M rsETH Hack Proceeds via LayerZero and Other Bridges

Lazarus Group Suspected in $290 Million rsETH Hack Laundering

The laundering of proceeds from the $290 million rsETH hack on April 19, 2026, is underway, with the state-sponsored North Korean hacking collective Lazarus Group suspected of orchestrating the theft. Investigators have identified commingling of funds with other TraderTraitor-related hacks, including those targeting BTC Turk and ByBit.

Bridges, Including LayerZero, Used for Money Laundering

As with previous incidents, the hackers are funneling large volumes of stolen funds through blockchain bridges. Notably, LayerZero, the protocol from which the $290 million rsETH were originally stolen, is being exploited to launder proceeds from the LayerZero/KelpDAO hack.

A recent transaction moved $500,000 via LayerZero:

Address: 0x4D5A08A96D644d7CA7F4541E1512a53D55aA5842 Destination: TLTCf565jGgSeCsUhBpWuPhrrHcGGX9ekT

Massive Scale of Laundering Operations

On-chain analyst Specter has tracked over 1,600 transactions across 370 addresses in the first 12 hours of laundering, averaging one transaction every 25 seconds. As of Wednesday morning, $116 million had been laundered into Bitcoin (BTC), with an additional $61 million still pending conversion.

DeFi Sector Reacts to Illicit Bridge Usage

Blockchain projects have responded differently to the flow of illicit funds through their platforms:

Umbra Acknowledges $800K in Illicit ETH

Umbra, a privacy protocol, confirmed that $800,000 worth of ETH had passed through its system. While the project emphasized its inability to halt illicit use of its autonomous smart contracts, it temporarily disabled its hosted front end by placing it in "maintenance mode."

THORChain’s Mixed Response and Centralization Concerns

THORChain, which markets itself as a permissionless and censorship-resistant protocol, distanced itself from responsibility:

THORChain was modelled after Bitcoin, to be permissionless and censorship resistant. There’s no single person or entity in control of the protocol. There’s no admin key. There’s no 2-of-3 multisig. Currently, there’s 95 nodes spread globally that control the network.

However, on-chain investigator Tanuki42 revealed that THORChain had held an admin key for years, raising questions about its decentralization. Specter estimates that 99% of laundered funds flowed through THORChain, which earned over $100,000 in affiliate fees on Tuesday—more than double its year-to-date revenue.

Did you really just accidentally say that Thorchain was centralized for all of those years while DPRK laundered hundred of millions while raking in millions of fees with an admin key you held in your possession?

DeFi Sector Faces Growing Security Challenges

The DeFi sector has suffered two major hacks this month, with combined losses exceeding $500 million. The rsETH hack follows the $11 million Garden hack, which occurred shortly after Arbitrum’s Security Council intervened to recover over 30,000 ETH, reducing the hackers’ realized profit from $245 million to approximately $175 million.