Arbitrum’s Security Council has frozen 30,766 ETH, worth roughly $71 million, linked to the $292 million hack that hit Kelp DAO over the weekend.
Arbitrum’s Security Council moved the funds from the hacker’s wallet on Arbitrum One into a special frozen wallet. Those assets are now out of the hacker’s reach and can only be touched through a formal governance vote by ARB token holders, coordinated with law enforcement and other parties.
How Arbitrum locked the funds
The council stressed that the emergency action was taken after receiving information from authorities about the exploiter’s identity. Nine of the 12 council members approved it, following what one member described as lengthy debates weighing technical, practical, ethical, and political angles.
Crucially, the operation was carried out without touching any other users, applications, or normal network activity on Arbitrum.
This recovery represents about a quarter of the total fund stolen from Kelp DAO’s LayerZero-powered rsETH bridge on April 18. Attackers drained 116,500 rsETH tokens, roughly 18% of the token’s circulating supply, by exploiting compromised infrastructure rather than a direct smart contract bug.
Who is the major suspect
According to LayerZero, the prime suspect is North Korea’s Lazarus Group. The attackers allegedly poisoned two RPC nodes in LayerZero’s verifier network and launched a DDoS attack on a third, forcing a failover that let them push through a fraudulent cross-chain message.
The exploit only succeeded because Kelp DAO was running a single-verifier setup, something LayerZero says it had long advised against in favor of multi-verifier redundancy.
Tensions rise between Kelp DAO and LayerZero
Kelp DAO has pushed back, downplaying direct responsibility and pointing to external factors, while coordinating with partners on a potential recovery fund. The finger-pointing between Kelp and LayerZero over security configurations has only grown sharper.
The attacker didn’t sit still. Before Arbitrum stepped in, much of the stolen rsETH was parked as collateral on Aave V3 to borrow wrapped ETH.
Since then, wallets tied to the exploit have been shuffling funds across chains, with reports of laundering attempts via Thorchain and other mixers. Blockchain sleuth ZachXBT and others have been tracking the flows closely.
The freeze has reignited old debates about decentralization in layer-2 networks. While many praised Arbitrum for acting fast to protect victims and limit damage, others, including TRON founder Justin Sun, stated that this kills decentralization. Sun tweeted that TRON remains the most decentralized chain.
Even supporters acknowledge the tension: emergency powers can stop thieves, especially suspected state actors, but they also chip away at the permissionless ideal that crypto was built on.
The $71 million is stuck in limbo for now. ARB holders will eventually have to decide whether to give it back to the Kelp users who were affected, keep it for law enforcement, or go another way.
