Arbitrum Freezes $71M in ETH From Kelp DAO Exploiter, April 2026

Arbitrum's Security Council froze 30,766 ETH worth roughly $71 million linked to the $292 million Kelp DAO exploit on April 20, 2026. The emergency action moved stolen funds to a governance-controlled wallet, recovering about a quarter of what attackers drained from Kelp's LayerZero-powered bridge two days earlier.

DeFi exploits move fast. Your morning briefing should too. Subscribe to Web Snack for daily crypto news that cuts through the noise.

Context

On April 18, attackers exploited compromised verifier infrastructure in Kelp DAO's LayerZero-powered bridge and drained 116,500 rsETH - a liquid restaking token representing users' positions in restaked ether. The total haul came to an estimated $292 million, making it one of the largest DeFi exploits of 2026 so far.

LayerZero attributed the attack to North Korea's Lazarus Group. The attackers allegedly poisoned two RPC nodes in LayerZero's network while simultaneously launching DDoS attacks on a third, creating a window to forge cross-chain messages and trick Kelp's bridge into releasing tokens.

Kelp's emergency pause function kicked in 46 minutes after the first transaction, blocking a second attack that targeted another 40,000 rsETH.

Details

Nine of the Security Council's 12 elected members voted to execute the freeze after what council member Griff Green described as extensive internal deliberation. The transfer completed at 11:26 p.m. ET on April 20, moving the ETH to the protocol-controlled address 0x...DA0.

"We did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political. But all it takes for evil to triumph is for good men to do nothing" - Griff Green, Member of Arbitrum Security Council

The freeze was a race against the clock. PeckShield flagged that the exploiter had already initiated a native bridge withdrawal from Arbitrum back to Ethereum mainnet. The Security Council completed its intervention before the withdrawal finalized, trapping the ETH on Arbitrum.

Impact

The frozen $71 million accounts for about 24% of the total stolen. The remaining $220 million is believed to have already moved across chains. ZachXBT reported the attackers began laundering funds from Ethereum to Bitcoin via Thorchain, with smaller amounts routed through privacy protocol Umbra.

"Decentralisation is not a suicide pact" - Dan Robinson, General Partner at Paradigm

The decision split the crypto community. Critics on X argued that a 12-member council freezing user-controlled funds by decree contradicts core blockchain principles of permissionless and immutable transactions. Supporters countered that returning stolen money to victims matters more than abstract ideals - especially when the suspected thieves are state-sponsored.

Broader fallout continues across DeFi lending. The exploit created millions in bad debt on Aave V3, where attackers deposited stolen rsETH as collateral to borrow wrapped ETH before markets froze. Close to $10 billion in value has exited Aave since the incident. Lido disclosed $21.6 million in rsETH exposure through its EarnETH product.

Next Steps

The frozen ETH stays locked until Arbitrum's governance process - a full DAO vote by ARB token holders - determines what happens next. No timeline has been set for that vote. Any movement of the funds will require coordination with law enforcement, given the suspected DPRK connection.

Kelp DAO said it is working with LayerZero, Aave, and ecosystem partners on recovery plans and a path to resume operations. A dispute between Kelp and LayerZero over who bears responsibility for the bridge's security gaps remains unresolved.

Whether more stolen funds can be recovered depends on where else the attacker moved rsETH and whether other chains with similar emergency powers choose to act. LayerZero has not publicly commented on the freeze as of April 21.

Crypto moves at wire speed. Get the full picture every morning with Web Snack - subscribe for free.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.