TL;DR:
- The Arbitrum Security Council froze 30,766 ETH worth $71.5 million linked to the KelpDAO exploit, after receiving law enforcement information about the attacker’s identity.
- The frozen funds can only be released through an Arbitrum governance vote.
- The attackers, attributed to North Korea’s Lazarus Group, have already begun moving and laundering the remaining funds using Thorchain and the privacy protocol Umbra.
The Arbitrum Security Council froze 30,766 ETH worth $71.5 million linked to the KelpDAO exploit of April 18, moving the funds to an intermediary wallet inaccessible to the attacker. The measure was taken after receiving information from law enforcement about the hacker’s identity.
The Arbitrum Security Council is composed of elected signers with emergency powers to protect the network during security incidents. Once activated, the council can freeze assets and move them to wallets whose access requires a subsequent community governance vote. The frozen funds cannot be released without coordination with the relevant parties through the protocol’s governance process.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
— Arbitrum (@arbitrum) April 21, 2026
Arbitrum and the Decentralization Dilemma
The measures taken by the council generated divided reactions within the crypto community. On one hand, they were praised as a swift and effective response to a large-scale attack. On the other, they drew criticism over a layer-2 network’s ability to unilaterally freeze funds, raising questions about how real decentralization truly is when a body with emergency powers of this magnitude exists.
Nevertheless, the attackers have already begun moving funds beyond the reach of any possible response from authorities and protocols. According to onchain data and investigator ZachXBT, the thief’s wallet sent transfers of $57.93 million and $117.48 million on Tuesday during European hours. Approximately $1.5 million was bridged from Ethereum to Bitcoin via Thorchain and an additional $78,000 was routed through Umbra, a privacy protocol. These methods are typical of the initial laundering stage, known as layering, and indicate that the attacker may be preparing to disperse the funds across multiple destinations.
Indirect Consequences of the Freeze
Arbitrum may have inadvertently accelerated the attacker’s plans. By narrowing the room to maneuver over the frozen $71.5 million, pressure on the remaining funds increases. LayerZero attributed the attack to the Lazarus Group from North Korea, an organization that has previously used Thorchain to launder funds in exploits of similar scale.
The KelpDAO exploit also triggered a wave of liquidations across the DeFi sector, and there are fears of contagion spreading to other protocols.
