TL;DR

  • North Korea’s Lazarus Group exploited Kelp DAO’s cross-chain bridge on April 18, stealing 116,500 rsETH worth $292 million, the largest DeFi hack of 2026.
  • Arbitrum’s Security Council froze 30,766 ETH ($71M) from the attacker two days later; a cross-protocol coalition called DeFi United has since raised over $300 million toward making rsETH holders whole.
  • Law firm Gerstein Harrow LLP obtained a U.S. court restraining order on May 1 seeking to seize the frozen ETH on behalf of terrorism victims holding unpaid judgments against North Korea, not Kelp DAO victims.
  • Arbitrum DAO voted to release the funds anyway with 90%+ approval, setting a precedent that raises unresolved questions about DAO legal liability and the risks of governance-controlled asset recovery.

Arbitrum DAO has voted to release roughly 30,766 ETH linked to the recent Kelp DAO exploit, even as a U.S. legal battle attempts to block redistribution of the recovered assets.

The vote passed with over 90.5% approval, representing 173.9 million ARB tokens in favor. It authorizes the transfer of approximately $71 million in frozen ETH into a 3-of-4 Gnosis Safe multi-signature wallet, co-signed by Aave Labs, Kelp DAO, EtherFi, and onchain security firm Certora, as part of a broader victim compensation effort. The decision comes after nearly three weeks of governance debate following Arbitrum’s Security Council freeze of the assets on April 20, and amid an active legal challenge connected to historical North Korean terrorism claims.

What initially appeared to be a standard DeFi exploit recovery has now evolved into a broader test of DAO governance, legal jurisdiction, and the risks that emerge when decentralized protocols take operational custody of stolen funds.

How the Kelp DAO exploit unfolded

The controversy began after attackers, later linked by to North Korea’s Lazarus Group, exploited Kelp DAO’s LayerZero-powered cross-chain bridge on April 18, 2026. This was not a smart contract vulnerability. Instead, the attackers compromised internal RPC nodes used by LayerZero’s Decentralized Verifier Network (DVN). They then launched a DDoS attack against uncompromised nodes, forcing traffic to the poisoned ones. This gave them control over what the DVN saw and verified. The DVN confirmed transactions that had never actually occurred. That false confirmation tricked the Ethereum-side contract into releasing 116,500 rsETH (worth approximately $292 million) to an attacker-controlled address.

The exploit, now the largest DeFi hack of 2026, represented about 18% of rsETH’s total circulating supply.

With the stolen rsETH in hand, the attacker deposited approximately 89,500 rsETH into Aave v3 on Ethereum and Arbitrum and used it as collateral to borrow tens of thousands of WETH and other assets. This left Aave facing between $123 million and $230 million in potential bad debt. As the attacker leveraged the stolen assets across lending protocols, positions tied to the exploit eventually faced liquidation pressure on Aave. The situation escalated rapidly as ecosystem participants attempted to prevent the funds from dispersing across multiple chains and protocols.

Part of the recovered ETH ultimately became immobilized on Arbitrum-related infrastructure. That set the stage for one of the most unusual governance interventions seen in DeFi to date.

Importantly, the ETH was not originally sitting inside the Arbitrum DAO treasury. The assets first moved through attacker-controlled wallets before governance actors intervened.

Arbitrum’s extraordinary intervention

Just two days after the exploit, on April 20, Arbitrum’s Security Council used emergency powers to help recover the funds. The Council identified wallets tied to the attacker and moved 30,766 ETH into a governance-controlled recovery address, coordinating with law enforcement throughout the process.

The move effectively shifted the assets from attacker custody into a DAO-supervised holding structure.

Supporters viewed the intervention as a necessary emergency response to preserve victim funds before the assets disappeared permanently through laundering or cross-chain transfers.

Critics, however, argued that the operation demonstrated the extent to which major Layer-2 governance structures can exercise centralized control during emergencies. The debate quickly expanded beyond the exploit itself and into broader questions about decentralization, governance authority, and protocol liability.

The DeFi United coalition

The Arbitrum governance vote did not take place in isolation. It formed the centerpiece of a wider, cross-protocol recovery initiative called “DeFi United,” co-authored by Aave Labs, Kelp DAO, LayerZero, EtherFi, and Compound.

DeFi United has drawn pledges from a broad coalition of DeFi protocols, including Mantle, EtherFi Foundation, Golem Foundation, Lido DAO, Ethena, LayerZero, Ink Foundation, and Tydro . The coalition already accumulated more than 43,000 ETH (approximately $101 million) to reduce the contagion effect of the exploit. Larger pledges from the likes of Consensys (30,000 ETH) and Aave founder Stani Kulechov (5,000 ETH personally) have pushed total commitments past $300 million.

The goal of DeFi United is to restore rsETH’s ETH backing in full and make all rsETH holders whole. However, even with the release of the 30,766 frozen ETH, a shortfall of approximately 76,127 rsETH (worth roughly $174 million) remains.

The legal dispute intensified after law firm Gerstein Harrow LLP appeared on Arbitrum governance forums on May 1 seeking to block the redistribution of the frozen ETH. The U.S. District Court for the Southern District of New York had authorized a restraining notice that was served on the DAO through the forum. The order barred the movement of the 30,766 ETH. The court also signed three writs of execution targeting the Arbitrum DAO.

The plaintiffs are not Kelp DAO hack victims. They are families holding three unsatisfied default judgments against North Korea, awarded in 2010, 2015, and 2016. The judgements total over $877 million in damages that have gone unpaid for years.

The legal theory behind the filing does not necessarily claim that the hacker lawfully owned the funds. Instead, the argument focuses on whether assets stolen by a North Korean state-sponsored actor (Lazarus Group) can be treated as DPRK property and therefore attachable under U.S. enforcement and anti-terrorism frameworks.

That distinction has become central to the dispute.

Recovery advocates argue the ETH remains directly traceable stolen property belonging to exploit victims. Because the assets were frozen before being widely dispersed or mixed, supporters of the recovery process maintain that the original victims retain the strongest ownership claims.

The legal maneuver alarmed many DeFi governance participants. It raised the possibility that DAO-controlled recovery wallets could become targets for unrelated third-party claims once governance intervenes operationally.

The dispute has also drawn attention to a deeper structural issue: whether a DAO exercising operational control over recovered assets can be treated as a legally recognizable entity under U.S. law. Arbitrum DAO is not a traditional incorporated entity. Instead, it operates as a decentralized governance system coordinated through token-holder voting. Yet the broader ecosystem includes identifiable participants, among them the Arbitrum Foundation and Security Council members who carried out the emergency freeze.

That creates a legally uncomfortable question: if a DAO can freeze assets, move funds, and approve redistribution through coordinated action, can courts begin treating it as a functional legal association rather than purely decentralized software? Gerstein Harrow has argued in prior litigation that DAOs constitute unincorporated associations whose individual members can be held personally liable. At least one federal judge has allowed claims to proceed on that theory.

In Arbitrum’s case, the scrutiny is sharpened by the fact that governance actors moved beyond passive protocol management into active operational control. This is exactly the kind of conduct that invites that legal framing. For critics, that reinforces concerns about centralization inside major Layer-2 ecosystems. For supporters, it demonstrated that coordinated governance can protect users when it matters most.

The outcome of the legal battle may ultimately influence how future DAOs approach exploit recovery operations, especially if courts begin treating governance-controlled recovery wallets as attachable entities.

>>> Read more: Arbitrum’s Gaming Catalyst Program On The Chopping Block?

Why the DAO voted to release the ETH anyway

Despite the ongoing legal fight, including an emergency motion filed by Aave Labs seeking to vacate the restraining order, Arbitrum DAO voters ultimately approved the transfer of the ETH into a new recovery wallet associated with compensation efforts. Over 90% of voting tokens voted in favor.

The decision suggests governance participants were unwilling to leave the assets indefinitely frozen while external legal claims continued to develop.

Supporters of the proposal argued that delaying redistribution could expose the recovery wallet to escalating jurisdictional risks and prolonged litigation. Others warned that governance paralysis could undermine confidence in future ecosystem-led recovery efforts.

The vote therefore became more than a simple question of whether to release frozen funds. It effectively became a decision about whether decentralized governance should complete the recovery process before courts establish stronger control over the assets.

Every transfer changes the legal posture of the ETH. While the assets remained in governance-controlled custody, they represented a visible and potentially attachable pool for outside legal claims.

A defining moment for DAO governance

The Arbitrum case may become one of the clearest examples yet of how DeFi governance structures enter legally ambiguous territory once they move beyond passive protocol operation and begin actively controlling recovered assets.

The incident raises unresolved questions for the broader industry:

  • Is a DAO acting as a neutral coordinator during exploit recovery?
  • Does governance become a custodian once it controls frozen funds?
  • Can courts treat DAO-controlled wallets as attachable financial entities?
  • And will future protocols hesitate to intervene if emergency recoveries increase legal exposure?

For the crypto industry, the outcome could influence how future exploit recoveries are handled across DeFi ecosystems.

The case also exposes a growing tension at the center of decentralized governance. The moment a DAO successfully recovers stolen funds, it may simultaneously create a legally identifiable target for regulators, courts, and outside creditors.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here