“The Security Council acted with input from law enforcement as to the exploiter’s identity,” Arbitrum announced late Sunday night, confirming that 30,766 Ethereum had been locked away from the hackers who drained Kelp DAO two days earlier.
The freeze, executed at 11:26 p.m. ET on April 20, recovers approximately $71 million of the $292 million that attackers stole from Kelp’s cross-chain bridge on Saturday. That represents roughly a quarter of the total haul from what has become 2026’s largest DeFi exploit. The funds now sit in a governance-controlled intermediary wallet, meaning only a formal Arbitrum proposal and vote can determine their fate.
Emergency Powers Activate on a Layer-2 Chain
Arbitrum operates as a layer-2 blockchain, processing transactions more cheaply than Ethereum’s mainnet before settling them back to the base layer. Its Security Council consists of elected signers with emergency authority to intervene when the network or its users face imminent harm. This structure exists precisely for scenarios like the Kelp breach.
The council’s intervention marks one of the more aggressive uses of those powers to date. Governance-level freezes on user funds remain rare in crypto for good reason: they introduce discretionary control over what’s supposed to be a permissionless system. Every time a council freezes an address, even one belonging to hackers, it reminds users that certain actors can move their funds without consent under the right circumstances.
Arbitrum emphasized that the action affected only the exploiter-linked address and had no impact on other applications or users on the network. That distinction matters for protocols building on Arbitrum who might otherwise worry about counterparty risk from chain-level interventions.
Tracing the Attack Path From Bridge to Seizure
The exploit targeted Kelp DAO’s LayerZero-powered bridge, which allows rsETH (a liquid restaking token representing staked ether positions) to move across multiple chains. Attackers compromised the bridge’s verifier infrastructure and pulled 116,500 rsETH on Saturday, an amount worth $292 million at the time.
LayerZero pointed the finger at North Korea’s Lazarus Group with what it called “preliminary confidence.” The attribution aligns with Lazarus’s recent pattern of targeting DeFi infrastructure. Our earlier reporting on Lazarus Group’s activity noted that the group has drained over $500 million from DeFi protocols in April alone, exploiting cross-chain weaknesses rather than breaking underlying cryptography.
The $71 million that Arbitrum froze appears to be one portion of the stolen funds that the attacker parked before converting or distributing. Where the remaining $221 million went, and whether it can be recovered, depends on the attacker’s movements across other chains and whether those networks take similar action.
Kelp and LayerZero’s Blame Game Intensifies
The partial recovery doesn’t resolve the thornier question: who pays for the rest?
Kelp DAO and bridge provider LayerZero have been pointing fingers since the attack occurred. Kelp’s bridge relied on LayerZero’s cross-chain messaging infrastructure, but the verifier systems that attackers compromised sit at the boundary between the two protocols’ responsibilities. Neither side has publicly accepted fault.
The initial hack triggered cascading withdrawals from Aave and other DeFi lending protocols, as users rushed to exit positions collateralized by rsETH. That contagion caused billions in outflows and raised questions about how interconnected DeFi has become through liquid staking derivatives.
Now, with $71 million frozen, any negotiation over loss socialization has a different baseline. Kelp said it is coordinating with ecosystem partners on a recovery fund and considering options including legal action against counterparties. LayerZero has not publicly commented on the Arbitrum freeze.
What Governance Control Actually Means Here
The frozen ETH isn’t automatically returned to victims. It sits in an intermediary wallet requiring further Arbitrum governance action to move. That creates a new set of questions.
Who decides how to distribute recovered funds? Kelp users whose rsETH was stolen? The protocols that suffered contagion losses? Does Arbitrum’s governance even have the legal standing to make that call, or will this end up in courts?
These aren’t theoretical concerns. When FTX collapsed in 2022, the bankruptcy process took years to determine creditor priorities. A DeFi exploit with frozen funds across multiple chains and disputed liability could face similar complexity, except without the clear legal framework that bankruptcy provides.
Arbitrum’s Security Council executed the freeze on law enforcement’s input. That cooperation suggests authorities may already be pursuing criminal charges against the attackers (consistent with the Lazarus attribution), but it also means the frozen funds could become evidence in a prosecution rather than immediately available for victim compensation.
Other Chains Face Pressure to Follow Arbitrum’s Lead
The attacker moved stolen rsETH across multiple chains before consolidating. Arbitrum caught $71 million of the flow. What happened to the rest?
Other layer-2 networks and alternative chains with similar emergency powers now face a decision: freeze their portions of the stolen funds or allow them to continue moving. The speed and coordination of chain-level responses often determines how much attackers can actually extract versus how much gets recovered.
Not every chain has a security council with freeze authority. Some pride themselves on immutability. For them, the only option is watching the funds move and hoping law enforcement can trace them to an off-ramp where traditional seizure methods apply.
This fragmented response is exactly why cross-chain exploits remain attractive to sophisticated attackers. Steal from a bridge, scatter funds across a dozen chains, and count on at least some portion making it through networks without centralized intervention capabilities.
You can track broader market movements and sector performance as DeFi protocols continue absorbing the fallout from Kelp’s exploit.
What Happens Next for Kelp Depositors
Kelp remains paused. The protocol said it is weighing options for unpausing, loss socialization, and legal coordination. Those three items pull in different directions.
Unpausing quickly might let users exit remaining positions but crystallizes losses at current levels. Waiting for more recovery efforts (frozen funds, law enforcement seizures, potential negotiated returns) could improve the eventual recovery rate but leaves depositors locked out of their funds indefinitely.
Loss socialization, where remaining assets get distributed proportionally rather than on a first-come-first-served basis, tends to be fairer but slower. It also requires governance consensus that Kelp doesn’t necessarily have after a trust-destroying exploit.
The $71 million recovery is real progress, but it covers less than a quarter of what was stolen. For Kelp depositors holding rsETH that may now be worth significantly less than its face value, the next few weeks of negotiations and governance decisions will determine how much, if anything, they ultimately recover.
Arbitrum’s next governance proposal regarding the frozen funds will likely arrive within days. Whether that proposal aims to return funds to identifiable victims, hold them pending legal proceedings, or pursue some other path remains unclear.
Related Reading
Sources
Disclaimer: This is journalism, not investment guidance. Crypto is risky. Make your own informed decisions.
