Arbitrum Security Council Freezes 30,766 ETH From KelpDAO Exploiter in Emergency Onchain Action

Key Takeaways:

• Arbitrum’s Security Council froze 30,766 ETH worth roughly 70 million from the KelpDAO exploiter on April 21.
• Peckshield flagged the exploiter had initiated a native bridge withdrawal before the Security Council acted.
• The 30,766 ether now sits in a protocol-controlled address; its final disposition has not been announced.

Arbitrum Acts Fast as KelpDAO Exploiter Attempts to Bridge Stolen Funds

The Arbitrum Security Council identified the exploiter’s holdings on Arbitrum One and moved the 30,766 ether to the protocol-controlled address 0x0000000000000000000000000000000000000DA0, as per CertiK Alert.

The KelpDAO exploit drained approximately 292 million from the protocol via a Layerzero bridge attack targeting rsETH, with a portion of the stolen funds being moved to Arbitrum One after the initial breach.

As previously reported by Bitcoin.com, the exploit triggered a full-blown liquidity crisis across the decentralized finance ( DeFi) lending landscape while simultaneously pushing the industry’s losses past the 600 million mark (over the past three weeks). Onchain analysts have pointed to North Korea’s Lazarus Group as the likely culprit behind the attack.

How the Arbitrum Security Council Stopped the Exploiter

The freeze was a race against time as Peckshield flagged that the exploiter had already initiated a native bridge withdrawal from Arbitrum back to the Ethereum mainnet. This was done using the 0xDA0 precompile, a standard mechanism for native ether transfers between the two networks. The Security Council completed its intervention before the transfer was finalized, trapping the 30,766 ether on Arbitrum.

Lookonchain confirmed the freeze approximately 20 minutes after execution, noting the funds had been moved to an Arbitrum-controlled address. The Arbitrum Security Council holds elevated administrative powers over the network, allowing it to execute technical interventions in declared security emergencies.

However, this ability to unilaterally move funds has drawn some flak within the Ethereum community, primarily over centralization concerns for a network positioned as a decentralized layer-2.

The 30,766 ether remains in the protocol-controlled address. Arbitrum governance has not announced how the frozen funds will be handled or whether they will be returned to affected KelpDAO users. Lido separately disclosed approximately 21.6 million in rsETH exposure through its EarnETH product and indicated it may deploy a 3 million loss buffer, as detailed in Bitcoin.com’s incident report coverage.