Exclusive interview with Arbitrum Security Council member: Why did we activate the "God Mode" to freeze North Korean hackers' $72 million?

Guest: Griff Green, Member of the Arbitrum Security Council

Host: Zack Guzman

Podcast Source: Coinage

Original Title: Why Arbitrum Decided To Take Back $72M North Korea Stole

Air Date: April 23, 2026

Editorial Introduction

In the past few days, Ethereum and the entire crypto community have been focused on the incident where Kelp DAO (a liquidity re-staking protocol) was hacked, affecting Aave (a decentralized lending platform).

The Arbitrum Security Council used emergency authority to freeze and recover approximately $72 million worth of assets from addresses suspected to be controlled by North Korean hackers. This is the first time in the crypto industry that a “single L2” has activated “god mode” to freeze funds belonging to a specific address. Before this episode, community opinions were divided, with controversy centering on the fact that while Arbitrum did the right thing, the ability of a single chain to “transfer away assets from a specific address” raises questions about its capabilities and decentralization.

The guest in this episode is Griff Green, a member of the Arbitrum Security Council authorized to make such decisions. Griff is also a survivor of the 2016 The DAO hack and one of the advocates behind Ethereum’s hard fork. In the interview, he directly criticizes Circle (the issuer of USDC) for “continued inaction” during the North Korea hacker incident, and contrasts this with Tether’s proactive freezing actions, arguing that Circle’s decision-making is entirely driven by financial statements.

Key Quotes

The misconception of blockchain’s “immutability”

“People think blockchain is immutable, but in reality, the foundation of blockchain operation is social consensus. If everyone agrees to upgrade the protocol, the rules can be changed. Ethereum and Bitcoin are both like this.”

“This is why some in the Bitcoin community are now discussing freezing Satoshi’s tokens. Technically, it’s entirely feasible because blockchain isn’t inherently immutable; it only has rules.”

The true cornerstone of decentralization is market behavior

“If people don’t like our decisions, they will sell their tokens. If the Bitcoin network coordinated to steal people’s money, holders would obviously sell. The real foundation of decentralization is market behavior, and the role of market dynamics in this matter is severely underestimated.”

“Honestly, no one would blame us for doing nothing. Doing nothing carries almost no risk, so you need a bit of willingness to take risks.”

North Korean hacker attack patterns

“North Korea rarely attacks at the smart contract layer. Most of the time, the attack isn’t on the code but on people. They use social engineering to find key holders with special permissions, gaining access to their computers and keys.”

“I don’t know why they left funds in one address for two days without moving them. Maybe they worked for three days straight, took Sunday off, and then showed up late on Monday. That’s our window.”

Comparison of Circle and Tether

“I’ll say this clearly: there are obviously no good guys at Circle. They’ve been choosing to do nothing. On the other hand, Tether has been freezing North Korean funds continuously, recovering amounts far exceeding $70 million.”

“Circle’s origin isn’t crypto-native; it’s Goldman Sachs. So their decision logic is: does this reflect well on their financial reports? If freezing North Korean funds can make them money, they will definitely do it.”

Security issues are the biggest obstacle to crypto adoption

“With today’s technology, we can create systems more secure than PayPal or banks. Take the infrastructure of banks and PayPal, remove the custodians, and make a non-custodial version—technologically, it’s already possible.”

“I don’t know anyone whose bank account was hacked and money stolen after a phishing attack. But I know many who lost crypto after being phished.”

“I’ve been building for the public good, trying to create better systems than governments, but I keep hitting the same problem: this technology still isn’t safe enough for ordinary people to use securely.”

Activating God Mode

Zack Guzman: Many people are paying attention to how things develop. The controversy hasn’t stopped. Let’s start with the structure of the Arbitrum Security Council. You’re a member, and you mentioned in your post that this was a very serious decision. Can you explain how the whole incident unfolded?

Griff Green: Kelp DAO was attacked. There’s still debate over whether the main responsibility lies with Kelp DAO or LayerZero (the cross-chain messaging protocol), but the impact definitely affected Aave. It was a cross-chain bridge attack—about $300 million worth of tokens on Layer 2 were stolen by hackers from the bridge, then deposited on Ethereum mainnet and Arbitrum’s Aave as collateral to borrow ETH.

After obtaining ETH, the North Korean hackers left it in their wallet for several days without moving it, giving us a window to coordinate rescue efforts. Arbitrum, still in Stage 1 rollup (meaning some security guarantees but not fully decentralized), has a Security Council. It’s a 9-of-12 multi-signature (12 members, 9 signatures needed to execute actions). We collaborated with Seal 911 (a security emergency response organization in crypto) to use emergency permissions to transfer funds out of the North Korean-controlled address, freezing them into a new address they cannot access.

Blockchain’s foundation

Zack Guzman: I didn’t realize before that the threshold was 9-of-12, and many people seem unaware that Arbitrum has this capability. You probably also don’t want North Korean hackers to know about this feature.

Griff Green: Actually, it’s all publicly available information. I think there’s some misunderstanding about blockchain technology. The foundation of blockchain is open-source code, nodes running on servers, and social consensus.

My first project was The DAO. We raised $150 million, then got hacked. If you want details, check out Laura Shin’s book The Cryptopians, which dedicates 100 pages to this incident. Ultimately, we used an Ethereum hard fork to do something very similar to what we did on Arbitrum: breaking the rules without the hacker’s permission, moving funds out of the hacker’s wallet.

This can be done on Ethereum, Bitcoin, and any chain. Because blockchain fundamentally operates on social consensus, if everyone agrees, it can be done. For example, there’s discussion in the Bitcoin community about freezing Satoshi’s tokens—if everyone agrees, it’s possible.

On Arbitrum, it’s slightly different: you don’t need to convince all node operators, but have two options—either ARB token holders can vote to execute the same action, or the 9-of-12 multi-sig of the Security Council can do it in an emergency. Before this, the Security Council’s powers were only used for bug fixes and protocol upgrades, never for freezing funds. As far as I know, this is the first time a major L2 has frozen on-chain funds.

Comparison of two incidents

Zack Guzman: You’ve experienced both the DAO hack and this incident. How do they compare?

Griff Green: This one is much easier. The DAO was my own project, hacked for $150 million, and the pressure was much greater. This time, I personally didn’t lose any funds; I just helped as a Security Council member.

And infrastructure is so much better now, we can figure out what happened much faster. When The DAO was hacked, we didn’t even know who the hacker was. This time, Seal 911 was able to contact the FBI, and they confirmed the attacker was North Korean hackers. We gained intelligence outside the ecosystem through the network we built over the years.

Key issues discussed

Zack Guzman: In decision-making, not acting means North Korea keeps the funds. But some worry this could set a chilling precedent for DeFi. How did the discussion go?

Griff Green: First, there’s the technical challenge. We spent a lot of time finding a perfect technical solution—just finding it was a huge achievement, thanks to the behind-the-scenes technical heroes.

Once the technical feasibility was confirmed, we moved to the real debate: should we do it or not?

From my personal perspective, the attackers are almost certainly North Korean, involving $72 million, and DeFi faces existential risk. My duty is to uphold Arbitrum’s constitution and do what I believe is right for Arbitrum. No one would blame us for choosing inaction; doing nothing carries almost zero risk, so a bit of risk-taking is necessary.

Some people might feel uncomfortable, thinking “9 people can do this on-chain.” But I tell you, getting 9 highly risk-averse security experts to agree on doing something after thorough checks is far more difficult than you think. It’s probably harder than coordinating miners to freeze Satoshi’s tokens.

The key point is that the system remains decentralized—not just in architecture, but also in market sentiment and price behavior. If people dislike our decision, they will sell their tokens. That’s the true foundation of decentralization, and the role of market dynamics in this matter is severely underestimated.

Zack Guzman: The Security Council is elected by ARB token holders. Could this incident set a precedent that changes how people view hacker incidents in the Ethereum ecosystem?

Griff Green: One thing underestimated is that hackers rarely leave funds in one address for two days without moving them. Because they didn’t move the funds, we had a window of opportunity. I can’t recall any previous hacker incident on Arbitrum with a similar situation. I don’t know why they didn’t transfer the funds. Maybe they worked for three days straight, got tired, took Sunday off, and showed up late on Monday.

So I think people will be more open-minded about this. Not because the technology suddenly became possible (it’s always possible), but because they saw a real operation. L2Beat (an L2 security assessment project sponsored by the Ethereum Foundation) clearly states that the Security Council has emergency upgrade powers. Hackers could transfer the funds at any time, causing us to fail, but we’re fortunate.

Security lessons

Zack Guzman: What are the security lessons learned?

Griff Green: First, improve technical risk analysis. Aave does well controlling access to low-market-cap, high-volatility tokens, but is too lax with liquid staking tokens (LSTs). These tokens’ underlying asset is ETH, so the economic risk is low, but technical risk needs more scrutiny. This isn’t just Aave’s problem; protocols like Morpho, Compound, Sky, and others need to double down on technical risk analysis.

Kelp DAO’s setup has a single point of failure—criticism points to that. But a bigger issue is operational security (opsec): if keys are compromised, that’s the real risk. North Korea rarely attacks at the smart contract level; most of the time, they attack people—using social engineering to get access to computers and keys with special permissions.

There are two ways to respond: one, strengthen security standards. If you manage large funds, your computer security should be as tight as a CEO of a major tech company. But the crypto industry isn’t there yet.

How to handle the $72 million

Zack Guzman: What’s next for the recovered $72 million? Is it decided by your vote?

Griff Green: Yes, that’s going to be very interesting. The users of Aave and Kelp DAO will benefit, but the specific plan is hard to finalize. DAO coordination is inherently difficult—like working with governments and large organizations, especially without a clear final decision-maker.

Previously, Aave and Kelp DAO blamed each other. Now, with Arbitrum involved, it’s three DAOs working together. The good news is, there’s actual money involved now, so Aave and Kelp DAO can’t just pass the buck—they need to publicly develop a plan. How to return this $72 million to users will ultimately be decided by Arbitrum DAO token holders’ vote.

My personal stance is that unless it’s 100% directly returned to users, Arbitrum DAO shouldn’t release the funds.

Note that the Security Council only acts in emergencies. We deliberately transferred the funds to address 0x0000DAO—the “DAO” suffix was chosen intentionally, meaning this money now belongs to the DAO community. I am also a delegate of Arbitrum DAO. But the total voting power can reach 200 million votes, and I only hold about 10 million—roughly 5%. Many others have greater influence.

Projects I’m working on

Zack Guzman: Tell us about the projects you’re currently involved in, especially those related to security.

Griff Green: Since the DAO incident, I’ve been building in this space. I helped create Giveth, a decentralized donation platform that helps nonprofits raise funds on Ethereum. I’ve seen these nonprofits lose money in every way imaginable: sending funds to the right address but on the wrong chain, phishing, smart contract bugs, exchange hacks, and more.

With today’s technology, we can build systems more secure than PayPal or banks. The tech is there. But the reality is, I don’t know anyone whose bank account was hacked and money stolen after a phishing attack. Yet I know many who lost crypto after being phished.

That’s why we launched the DAO Security Fund. The goal is to make Ethereum safer than banks. We have about $170 million in staked assets, with staking yields providing long-term funding for security initiatives.

The first large-scale funding round starts tomorrow. On qf.giveth.io, you can donate to security projects. Based on your donation, a $1 million fund will be proportionally distributed among various security initiatives.

But more important than funding is project discovery. There are hundreds of free, open-source security tools out there, but many people don’t even know they exist. The core purpose of this round is to gather these projects in one place, so people can find them. Funding helps these projects survive, but market signals—what’s most needed, which areas deserve more investment—are truly impactful.

Circle vs. Tether comparison

Zack Guzman: When there’s no security council mechanism, centralized stablecoin issuers like Circle are forced to face the issue of freezing or not freezing assets. How do you see these two models?

Griff Green: If you have the ability to solve this problem, you have a responsibility to do so. There’s an old saying: “All evil needs to win is for good people to do nothing.”

I’ll say this clearly: there are obviously no good guys at Circle. They’ve consistently chosen inaction. On the other hand, Tether has been freezing North Korean funds, recovering amounts far exceeding $70 million.

You might think it should be the other way around, but I believe the reason is that Tether’s founding team is crypto-native, DeFi-native—they retain some old-school crypto values. Circle’s origin is Goldman Sachs, so their decision logic is: does this look good on the reports? If freezing North Korean funds can make them money, they will do it.

I’m not a Tether extremist; I lean toward decentralization. But in this case, Circle’s behavior is perplexing. I don’t know if we need to collectively sell USDC to give them enough market feedback. North Korea’s attacks aren’t just damaging our portfolios—they threaten real-world security. Everyone suffers because we don’t stop North Korea.

Zack Guzman: The politics in the blockchain world are much more complex than many realize.

Griff Green: Exactly. You think it’s just finance and hardcore tech, but there’s a lot of political discussion—about self-regulation, how to build society on new frameworks, very deep debates. But every time I try to bring these issues into the real world, I hit security problems.

North Korea’s attacks on major protocols are just one dimension. There are many lower-level issues, like scam calls impersonating Coinbase support, user experience improvements, etc. Many problems aren’t state-level attacks but stem from our own technical shortcomings.

I entered crypto in 2013, earned the first master’s degree in digital currency in 2016. I’ve been building for the public good, trying to create systems better than governments, but I keep hitting the same barrier: this technology still isn’t safe enough for ordinary people to use securely. Yet, there’s a huge opportunity now to change that.