Attorney Charles Gerstein posted a restraining notice to Arbitrum’s governance forum last week, demanding the DAO freeze 30,765 ETH tied to last month’s rsETH exploit and hand it over to families holding $877 million in unpaid judgments against North Korea. The filing names Arbitrum as a garnishee in three federal enforcement actions stretching back decades, including claims arising from the 1972 Lod Airport massacre that killed 26 people in Israel.
The legal maneuver lands in the middle of an already contentious debate. Arbitrum delegates had been preparing to release the frozen Ethereum to a coordinated recovery effort for rsETH depositors who lost funds in the April 19 Kelp DAO bridge exploit. Now they face a far stranger question: does stolen crypto become North Korean state property the moment Lazarus Group touches it?
Three Federal Judgments, No Payment, and 50 Years of Searching
The families behind the restraining notice have been hunting for North Korean assets since before most Arbitrum delegates were born. Their claims stem from three separate federal cases, each involving violence linked to Pyongyang’s decades of state-sponsored terrorism.
The oldest dates to May 30, 1972. Three members of the Japanese Red Army, reportedly acting with North Korean support, opened fire inside Lod Airport near Tel Aviv. Twenty-six people died, including seventeen Puerto Rican pilgrims on a Christian tour group. A U.S. federal court later found North Korea liable for supporting the attack. The families won their case. North Korea never paid.
The second case involves Reverend Kim Dong Shik, a U.S. permanent resident and pastor who operated along the China-North Korea border helping defectors escape. In January 2000, North Korean agents abducted him near the border. He was taken into DPRK custody and later killed. His family won a wrongful death judgment against Pyongyang. Again, no payment.
The third traces to the 2006 Israel-Hezbollah war. A federal judge found that North Korea had supplied weapons and training used in rocket attacks against Israeli civilians. The plaintiffs obtained a judgment. North Korea, predictably, ignored it.
Collectively, these three cases carry writs of execution totaling roughly $877 million. The problem has always been collection. North Korea maintains virtually no seizable assets in the United States. The regime doesn’t keep bank accounts in Manhattan. It doesn’t own real estate in Florida. For the families, winning the legal battle was the easy part. Finding anything to actually collect against has consumed years, sometimes decades.
Gerstein’s filing argues that the 30,765 ETH sitting frozen on Arbitrum qualifies as North Korean property under U.S. enforcement law. His logic runs through the Lazarus Group, the hacking unit that U.S. authorities have repeatedly linked to North Korea’s Reconnaissance General Bureau. If Lazarus conducted the rsETH exploit (as blockchain analysts and U.S. agencies have indicated), and if Lazarus is an arm of the North Korean state, then the stolen funds are state property, subject to seizure to satisfy existing judgments.
It’s an aggressive legal theory. But the families have spent half a century chasing North Korean assets through far more obscure channels. Compared to trying to seize a Pyongyang-flagged cargo ship, going after tokens on a public blockchain is almost conventional.
The rsETH Exploit and Arbitrum’s Accidental Role
The frozen ETH at the center of this dispute came from the Kelp DAO bridge exploit on April 19, which we previously covered as Arbitrum’s Security Council seizing $71M in ETH from the Kelp DAO hackers. The attack drained approximately $292 million from restaked ETH holders across multiple chains. RsETH is a representative token that reflects Ethereum locked on another platform for fixed yields, a structure that has become increasingly popular as staking-adjacent DeFi products proliferate.
Arbitrum’s Security Council, an emergency governance body with the power to take unilateral action in time-sensitive situations, froze 30,765 ETH at a specific address on the network. That intervention captured roughly 25% of the total stolen funds. The remaining 75% escaped to other chains or was laundered through mixers before anyone could act.
The Security Council’s freeze was a technical success but created an immediate governance headache. Who does the money belong to now? The original rsETH depositors argue it’s their stolen property. The Lazarus Group (or whoever actually controls the frozen address) stole it. A thief cannot pass good title. Therefore, returning the funds to depositors is simply returning property to its rightful owners.
That logic seemed straightforward until Gerstein’s filing arrived. Now delegates face a different question: if the thief is a foreign state, do that state’s creditors have a claim that supersedes the original victims?
The legal tool Gerstein is using is CPLR Β§5222(b), a New York enforcement mechanism that allows judgment creditors to freeze assets by serving a restraining notice. No new court order is required up front. The recipient is simply barred from moving the assets for up to a year, or until the underlying judgment is resolved. The target can challenge the notice afterward, but ignoring it outright risks contempt of court.
Contempt is the same category of offense courts use when someone defies a judge’s order directly. It can carry fines, penalties, and in extreme cases, incarceration for individuals. The twist here is that Arbitrum DAO isn’t a company. It doesn’t have a CEO to hold in contempt. It’s a decentralized governance structure where token holders vote on proposals.
That ambiguity doesn’t make the legal risk disappear. It just shifts the question. If a court decides the restraining notice is valid, the contempt risk would fall on whoever the court determines actually controls the frozen funds. That could mean the Security Council members who executed the freeze. It could mean the delegates who vote to release the funds. It could mean the Arbitrum Foundation, which operates as a legal entity in the Cayman Islands but maintains it doesn’t control DAO treasury decisions.
The lack of clear legal personhood for DAOs has been a governance convenience for years. Now it’s becoming a governance liability.
Stolen Property or State Assets: The Argument That Could Define DAO Liability
Delegate Zeptimus pushed back on Gerstein’s legal theory in the same forum thread. The core objection is simple: stolen property belongs to the victim, not the thief. Under basic property law, a thief acquires no title. When someone steals your car, it’s still your car. The thief can’t sell it to a third party and give that buyer clean ownership. The same principle should apply to stolen crypto.
If that framing holds, the 30,765 ETH isn’t North Korean property at all. Lazarus Group never acquired legitimate ownership. The funds belong to the rsETH depositors who held them before the exploit. Returning the ETH to those depositors isn’t a distribution. It’s restitution.
Zeptimus argued that accepting Gerstein’s theory would effectively shift North Korea’s debt onto a different set of victims. The terrorism families have legitimate grievances against Pyongyang. They’re owed money. But making DeFi depositors who were themselves robbed pay that debt seems like punishing one group of victims to satisfy another.
There’s an uncomfortable asymmetry to the situation. The terrorism families have been waiting decades for any kind of compensation. Some of the victims they represent died in 1972. The rsETH depositors, by contrast, lost funds two weeks ago. From a pure timeline perspective, the terrorism claimants have seniority. From a property law perspective, the depositors arguably have cleaner title.
The Lazarus Group’s documented history complicates things further. U.S. Treasury, the FBI, and multiple private blockchain intelligence firms have linked the group to North Korea’s state apparatus. Lazarus was behind the $625 million Ronin Network hack in 2022. They’ve been implicated in attacks on dozens of crypto projects. As we reported last month, their Mach-O Man malware has been hijacking Zoom calls to target crypto executives specifically.
If Lazarus is operationally indistinguishable from the North Korean state, there’s a non-frivolous argument that assets under their control are state assets. International law has long recognized that governments can be held liable for the acts of their agents. If the agent acquires property through those acts, that property may be reachable.
But “non-frivolous” isn’t the same as “obviously correct.” The stolen-property defense remains powerful. Courts have generally held that theft doesn’t transfer title. A government agency that seizes stolen goods doesn’t get to keep them. It returns them to the original owner. Why should this case be different?
The answer might depend on whether American courts view North Korea-linked hacking as closer to ordinary theft or closer to sovereign asset acquisition. If Lazarus Group is just a criminal gang, their loot is stolen property. If Lazarus Group is a revenue arm of the North Korean state (which some analysts believe generates hundreds of millions of dollars annually for Pyongyang’s weapons programs), the calculus shifts.
Arbitrum delegates aren’t equipped to answer that question. They’re governance participants in a DeFi protocol, not federal judges. Yet they’re the ones who have to decide whether to release the funds, hold them indefinitely, or find some third path.
The fear and greed dynamics that typically drive crypto market decisions don’t apply here. This isn’t about whether ETH will pump or dump. It’s about whether a decentralized organization can be compelled by a state court to hand over assets, and who bears the liability if it refuses.
What Happens Now: Governance, Courts, and No Clean Exits
Arbitrum’s governance process doesn’t pause for legal complexity. Proposals move on defined timelines. Delegates vote. Things happen. But the restraining notice creates friction that governance alone can’t resolve.
The safe path, legally, is to do nothing. If Arbitrum keeps the funds frozen and waits for the courts to sort out competing claims, the DAO avoids the contempt risk that comes from releasing assets under a restraining notice. The downside is that rsETH depositors who lost money two weeks ago continue to wait indefinitely while lawyers argue about events from the Nixon administration.
The aggressive path is to release the funds to the coordinated recovery effort and dare Gerstein to enforce the notice. This treats the stolen-property defense as dispositive. The risk is that a New York court disagrees, holds individuals in contempt, and creates a precedent that could haunt DAO governance for years.
A middle path might involve challenging the restraining notice directly. CPLR Β§5222(b) allows targets to contest the notice after service. Arbitrum (or the Arbitrum Foundation, or individual Security Council members, or whoever agrees to stand as the defendant) could argue that the ETH isn’t North Korean property, that the DAO lacks the legal status to be a garnishee, or that the notice was improperly served. Each argument has risks and costs.
Meanwhile, the actual hackers are presumably laughing. They control 75% of the stolen funds that Arbitrum’s Security Council didn’t freeze. They’ve likely already laundered significant portions through mixers, cross-chain bridges, and other obfuscation methods. The 30,765 ETH sitting frozen on Arbitrum represents a partial success story, proof that coordinated action can recover some stolen funds. Now that success is creating a secondary fight among victims about who gets the proceeds.
The broader DeFi ecosystem is watching. If a restraining notice can effectively immobilize DAO-controlled assets by threatening individuals with contempt, the legal surface area for DAOs just expanded dramatically. Every Security Council, every multisig signer, every delegate with meaningful governance power becomes a potential pressure point for plaintiffs worldwide.
Conversely, if Arbitrum releases the funds and nothing happens, the precedent cuts the other direction. DAOs operate in a legal gray zone. Courts struggle to assert jurisdiction. Plaintiffs struggle to identify defendants. The ambiguity that once seemed like a bug might actually be a feature, at least from the perspective of those who want decentralized systems to remain resistant to traditional legal mechanisms.
Neither outcome is cleanly good. The terrorism families have waited fifty years. The DeFi depositors lost money two weeks ago. Someone is going to be disappointed. The only certainty is that the frozen ETH isn’t moving until Arbitrum decides what kind of organization it actually is.
Related Reading
Sources
This content is educational, not financial advice. Digital asset investments can lose value. Research thoroughly before investing.
