Arbitrum pretends to hack KelpDAO funds back

Arbitrum’s security council has used emergency powers to freeze roughly $70 million in assets linked to last week’s $292 million exploit of KelpDAO, raising fresh questions about centralization and governance on major blockchain networks.

How Arbitrum recovered the funds

On-chain data firm PeckShield first flagged that 30,765 ETH tied to the KelpDAO hack had been moved on Arbitrum to a zeroed address, sparking speculation that the attacker had burned the funds or that authorities had intervened.

Arbitrum later confirmed in a forum post that its security council initiated the transfer under an emergency process. The council temporarily upgraded a core “Inbox” bridge contract so it could send a message as if it came from the hacker’s wallet, without needing the attacker’s private key.

The steps were executed within a single Ethereum transaction:

• the bridge contract was upgraded to add a function that could send messages on behalf of any address
• a simulated transaction was run to validate the behavior
• the ETH was transferred to a designated freeze address
• the contract was then downgraded back to its original version

Arbitrum said the change was narrowly scoped and did not affect other users or applications during the operation.

The security council reported that it had coordinated with law enforcement and identified the attacker as linked to the Lazarus Group, a North Korea–associated hacking outfit tied to multiple DeFi exploits this year. It was the first time Arbitrum had used its emergency governance authority in this way.

Governance process and next steps

The security council confirmed that nine of its twelve members signed the authorization to perform the emergency contract upgrade, meeting its threshold and bypassing the usual, slower governance process.

Recovered funds will remain frozen while Arbitrum’s decentralized governance body decides what to do with the assets in consultation with authorities. Options are expected to include various restitution paths for affected parties, but no formal proposal has yet been finalized.

Centralized control debate intensifies

The incident has triggered a broad debate in the Arbitrum community over how much power should rest with a small administrative group.

Critics argue that the ability of a dozen council members to modify a core contract and act on any address, even for defensive purposes, runs counter to the ideal of a permissionless, censorship‑resistant system. Supporters counter that this type of intervention is necessary to protect users in extreme cases and prevent large-scale thefts from becoming permanent.

Security specialists note that Arbitrum’s setup is not unique. Many leading layer‑2 networks and major protocols maintain some form of emergency upgrade or pause mechanism, especially during their early operational phases, to respond quickly to technical failures or security breaches.

Impact on KelpDAO and remaining losses

The freeze covers roughly one-quarter of the $292 million stolen from KelpDAO, leaving about $220 million still missing and spread across other networks and protocols.

More than $100 million in unrecovered debt remains on Aave, where the attacker used unbacked rsETH minted on KelpDAO as collateral to borrow assets. Estimates now put Aave’s bad debt related to the exploit at over $177 million, widening concerns about the resilience of interconnected DeFi platforms.

The scale of the losses and the partial recovery have left the final outcome for holders of KelpDAO’s rsETH token uncertain, with no clear timetable for compensation decisions.

Aave hit by liquidity crunch and confidence shock

The KelpDAO exploit quickly spilled over into Aave, one of the largest DeFi lending platforms.

After the attacker deposited fraudulent rsETH as collateral and borrowed against it, the eventual collapse in the perceived value of that collateral left a large hole on Aave’s books. In response, liquidity providers rushed to withdraw, pulling more than $5.4 billion from the protocol.

At one point, Aave’s WETH market reached 100% utilization, meaning all available WETH had been borrowed and remaining depositors were temporarily unable to withdraw. The episode underscored how vulnerabilities in one protocol can trigger liquidity and solvency pressure in another when they are tightly integrated.

For market participants active in lending platforms, the event has sharpened focus on:

• what assets are accepted as collateral
• how those assets are created or bridged
• how risk from external protocols can flow into core money markets

Lazarus Group’s role and evolving threat

Arbitrum’s security council and law enforcement agencies have tied the KelpDAO exploit to the Lazarus Group, a North Korea–linked hacking organization that has become one of the most prolific threats in digital assets.

The group is suspected in at least 18 DeFi exploits this year alone, including a $285 million theft from Drift Protocol three weeks earlier. It has also been linked to some of the largest historical incidents, such as a $1.5 billion attack on Bybit in February 2025.

Analysts say Lazarus has steadily expanded its toolkit from basic smart contract exploits to more complex operations that:

• target cross‑chain bridges and other critical infrastructure
• leverage social engineering to compromise staff and vendors
• exploit interdependencies between protocols and networks

The KelpDAO incident reinforces the view that state-linked actors continue to probe DeFi’s weakest points, pushing networks and protocols to adopt stronger technical countermeasures and more robust operational security.

Broader implications for DeFi and layer‑2 design

The Arbitrum intervention is being viewed as both a defensive milestone and a stress test for DeFi governance models.

On one hand, it shows that large networks can, in limited circumstances, coordinate with authorities and use technical tools to claw back stolen funds. On the other, it highlights that many “decentralized” systems still rely on small, privileged groups with the ability to override normal rules when they judge it necessary.

For traders and protocol users, the episode is likely to prompt closer examination of:

• who controls upgrade keys and emergency switches
• what thresholds are required to activate them
• how clearly these powers are documented and disclosed

While Arbitrum has managed to secure about $70 million of the stolen assets, the larger effort to trace and recover the remaining funds continues, and the long-term consequences for KelpDAO, Aave, and wider DeFi market confidence remain unresolved.