#ArbitrumFreezesKelpDAOHackerETH – $71 Million Freeze Decision Divides Crypto

Just 48 hours after the biggest DeFi attack of April, Ethereum's largest layer-2 network, Arbitrum, made one of the most controversial interventions in its history. Its Security Council froze 30,766 ETH in a wallet linked to the KelpDAO hack, worth approximately $71.2 million. While the decision raised hopes of recovering the stolen funds, it reignited the question of where the principle of "decentralization" ends.

What happened?

On Saturday, the liquid restaking protocol KelpDAO lost approximately $292 million from its rsETH bridge running over LayerZero. The attacker triggered LayerZero's lzReceive function with a fake message, minting 116,500 rsETH without any backing. These tokens represented 18% of the circulating supply.

The attacker immediately used these rsETH as collateral to withdraw 83,427 WETH and wstETH from Aave, SparkLend, and other lending markets. The transaction was executed in parallel on Ethereum and Arbitrum. Aave soon announced it was freezing the rsETH markets, but by then millions of dollars in "bad debt" had accumulated on the protocol.

LayerZero initially attributed the attack to TraderTraitor, a subgroup of the North Korea-linked Lazarus group. KelpDAO, however, blamed LayerZero's single-validator messaging design. While accusations continued between the two sides, funds were rapidly dispersing on the chain.

Arbitrum's Immediate Intervention

On Monday, the Arbitrum Security Council, with its 12-member elected body, held an extraordinary meeting. According to council member Griff Green, the decision "was not taken lightly," and hours of technical, ethical, and legal discussions took place. Law enforcement was also consulted.

Ultimately, 9 members voted in favor. The council moved the ETH in the hacker's Arbitrum wallet to an "intermediately frozen wallet" that is inaccessible. Withdrawals from this wallet are now only possible with a new vote by Arbitrum governance.

Arbitrum emphasized that the intervention did not affect any normal users or applications, only targeting the address directly linked to the exploit.

The freeze accelerated the hacker's actions.

The news of the freeze spurred both on-chain detectives and the attacker into action. Hours after the freeze, key wallets on the Ethereum mainnet became active.

Blockchain researcher ZachXBT detected that approximately $1.5 million was converted to Bitcoin via THORChain.
EmberCN reported that a total of 75,700 ETH, worth approximately $175 million, began to be withdrawn from Ethereum.
PeckShield noted that the funds were divided among privacy and cross-chain protocols such as THORChain, Umbra, Chainflip, and BitTorrent. Small transfers via Umbra amounted to around $78,000.

The goal was clear: to escape to chains inaccessible to Arbitrum. The conversion to Bitcoin obscured the trace on Ethereum travelers, while privacy protocols like Umbra masked recipient addresses.

Chain reaction in DeFi

The Kelp attack didn't remain confined to a single protocol. Because rsETH was used as collateral:

Aave halted rsETH markets and reset collateral factors.
SparkLend, Fluid, and Upshift took similar steps.
Whales panicked and closed positions, causing Aave's total locked value to drop by $6.28 billion in a single day.

Justin Sun's withdrawal of 53,665 ETH from Aave around the same time further heightened market tension. While not directly related, the "get out first" reflex of major players exacerbated the crisis of confidence.

Decentralization or security?

Arbitrum's move divided the community.

Supporters say that "standing idly by" during a $292 million heist by a North Korean-linked actor would have been irresponsible. Ledger CTO Charles Guillemet summarized the outcome as "probably good, but not comfortable." According to him, the council didn't use a backdoor, but rather leveraged an authority already present in the protocol's design. This shows that today's rollups can still be stopped by governance decisions.

Critics, however, commented that "Arbitrum is no longer decentralized." The freezing authority could theoretically be used in a malicious governance attack. Circle's failure to freeze USDC during the Drift hack has been criticized, and Arbitrum's decision to freeze it has generated equally much debate.

This was the second major heist believed to be linked to North Korea in April. With the $285 million stolen from the Drift protocol on April 1st, the total loss has exceeded $578 million. Given that the FBI's 2025 report estimates crypto crimes will cause $11.37 billion in losses, the industry faces a growing "intervene or accept the loss" dilemma.
What happens next?
The frozen $71 million is currently under Arbitrum's control. Returning the funds will require either a court order or a DAO vote. The legal process could take months.

Meanwhile, the $175 million held by the hacker is still in motion. Recovering funds transferred to the THORChain and Bitcoin networks is nearly impossible. Security firms predict that the remaining ETH will also be broken down into smaller chunks and processed through privacy mixers.

The hashtag #ArbitrumFreezesKelpDAOHackerETH speaks to more than just a technical freeze. This is the moment when the conflict between DeFi's biggest promise – "trust in code" – and its biggest fear – "state-sponsored hackers" – is unfolding. Arbitrum has set a precedent by halting the $71 million. The question now is: Will this precedent be a safety net protecting users, or the beginning of the end for decentralization?