TL;DR - Your wallet can get flagged over a bridge hack without ever touching the bridge, because exchanges screen for indirect exposure through wallets that later received the stolen funds.
Getting flagged doesn't require using the hacked bridge yourself. It requires being a few hops downstream from a wallet that did, and most bridge-hack writeups skip that part entirely - they cover the exploit, not what happens to everyone who touched the money afterward.
What happened in the KelpDAO bridge hack?
On April 18, 2026, attackers linked to North Korea's Lazarus Group - specifically its TraderTraitor unit - stole 116,500 rsETH, about $292 million, from KelpDAO's LayerZero-based bridge. It wasn't a smart-contract bug. The attackers compromised LayerZero's internal RPC nodes, ran a DDoS attack against the external ones, and fed forged burn data to the single Decentralized Verifier Network approving withdrawals. The bridge paid out real ETH against a burn that never happened.
A follow-up attempt to drain another 40,000 rsETH, roughly $95 million, got caught before it went through. That didn't stop the first payout. On April 20, the Arbitrum Security Council froze 30,766 ETH sitting at a consolidation address tied to the exploiter, after the attacker had already routed funds through a chain of wallets to get there.
How can a bridge hack reach a wallet that never used it?
Stolen funds move. Lazarus-linked wallets almost never sit still with what they've taken - the money gets split across dozens of addresses, run through a mixer or a cross-chain swap, and lands in wallets that have never heard of KelpDAO. Screening engines track that path in hops: one hop is a direct transfer from the flagged address, two hops means one wallet removed, and so on. Plastron's own address corpus carries 121 wallets tagged specifically as hack_exploit out of roughly 3,901 labeled addresses total, and each of those tags can propagate exposure outward for several hops before it fades.
That's the part most explainers skip. You can receive stolen ETH from someone who received it from someone who drained the bridge, and never touch KelpDAO's contract yourself. A one-hop link to a known exploit address is worse than a five-hop link to a random wallet. Distance matters. Direction matters more.
Risk from a bridge hack does not stop at the exploiter's wallet - it travels through a consolidation address, a mixer or swap, and downstream wallets, weakening but not disappearing by the third or fourth hop.
What does an exchange see when it screens your deposit?
Exchanges run every incoming deposit through a screening engine before they credit it. That engine checks direct sanctions matches first, then indirect exposure through hop-weighted clustering. A wallet with even indirect ties to the KelpDAO exploiter's consolidation address will typically score high enough to trigger a manual review, not an automatic freeze - but if OFAC later designates that address, the review becomes mandatory and the exchange has to act on it.
The Arbitrum Security Council's freeze already shows you the ceiling case: 30,766 ETH locked at one address, no user action involved, no appeal process in place yet. Most wallets several hops away won't hit that ceiling. They'll hit a hold, a request for transaction history, or a source-of-funds letter instead.
Which wallets are actually at risk after a bridge exploit?
Three groups carry real exposure. Anyone who received funds directly from the exploiter's consolidation address before the freeze sits at the top. Anyone downstream of a wallet that mixed or swapped the stolen ETH comes next - a DEX trade or a cross-chain bridge doesn't erase the taint, it just adds a hop. LP holders and depositors in KelpDAO itself round out the list, since their funds backed the drained liquidity and some may face a lower payout during recovery.
If none of that describes you, a bridge hack elsewhere in the ecosystem still isn't automatically zero-risk. Wallets sometimes get a second look on pattern alone - interacting with the same bridge contract in the same week as an exploit, even in an unrelated transaction, can be enough to trigger manual review.
What should you do before you deposit or trade?
Check any wallet's transaction history before you accept a transfer from it, especially in the days after a bridge exploit makes headlines. You can look up an address on Etherscan and scroll its recent transfers by hand, or check token approvals through a tool like Revoke.cash - both are free, and both take reading one transaction at a time. Screen the wallet with Plastron instead and get sanctions, mixer, and stolen-funds exposure scored across seven chains in one lookup, instead of piecing it together yourself.
Revoke any approval you gave a bridge contract you no longer trust. And if a deposit gets held, ask the exchange which flagged address triggered it - most support teams won't volunteer that unless you ask directly.
Every deposit runs through the same screening step - a clean history clears fast, indirect exposure to a hack-linked wallet routes to manual review, and a direct sanctions or exploit match forces a hold.
Do I need to have used the hacked bridge to get flagged?
No. Exchanges screen for indirect exposure through hop-weighted clustering, so a wallet several transfers removed from the exploiter's address can still trigger a manual review even if it never interacted with KelpDAO or LayerZero directly.
What happens if my deposit gets held after a bridge hack?
Most exchanges place an indirect-exposure hold pending manual review rather than an automatic freeze. Expect a request for your transaction history or the source of the specific deposit - respond with documentation showing where the funds actually came from.
Can OFAC sanction a wallet tied to a bridge exploit?
Yes. OFAC has previously designated addresses attributed to Lazarus Group and DPRK-linked operations, and a confirmed attribution like the one LayerZero made for the KelpDAO exploit is the kind of evidence that supports a future designation.
Does revoking token approvals protect me from a bridge hack?
Only partly. Revoking stops a compromised bridge contract from moving tokens you've already approved. It doesn't change your exposure score if you've already received funds that trace back to the exploit - those two problems need separate fixes.
Disclaimer: This article is for educational and informational purposes only and is not legal, financial, tax, or compliance advice. Crypto carries risk; you act on this information at your own risk. Always do your own research and consult a qualified professional before making decisions. Views are the author's own and do not constitute financial, legal, or investment advice.
About Plastron
Plastron is a free, non-custodial wallet screening tool. It checks Ethereum and six EVM chains for AML and KYT risk — sanctions exposure, mixer contact, and stolen-funds proximity — and returns a risk report in seconds. It reads public on-chain data only: it never takes custody of funds and never asks for private keys.