Arbitrum Pretends to Be the Hacker, 'Steals' Back the Money Lost by KelpDAO

marsbitPublicado a 2026-04-21Actualizado a 2026-04-21

Resumen

Title: Arbitrum Poses as Hacker to Recover Stolen Funds from KelpDAO Last week, KelpDAO suffered a hack resulting in nearly $300 million in losses, marking the largest DeFi security incident this year. Approximately 30,765 ETH (worth over $70 million) remained on an Arbitrum address controlled by the attacker. In an unprecedented move, Arbitrum’s Security Council utilized its emergency authority to upgrade the Inbox bridge contract, adding a function that allowed them to impersonate the hacker’s address and initiate a transfer without access to its private key. The council’s action, approved by 9 of its 12 members, moved the stolen ETH to a frozen address in a single transaction before reverting the contract to its original state. The operation was coordinated with law enforcement, which attributed the attack to North Korea’s Lazarus Group. Community reactions are divided: some praise the recovery of funds, while others question the centralization of power, as the council can upgrade core contracts without governance votes. However, such emergency mechanisms are common among major L2s. Despite the partial recovery, over $292 million was stolen in total, with more than $100 million in bad debt on Aave and remaining funds scattered across other chains. The incident highlights escalating security challenges in DeFi, with state-sponsored hackers employing advanced tactics and L2s responding with elevated countermeasures.

Author: Deep Tide TechFlow

Last week, KelpDAO was hacked for nearly $300 million, making it the largest negative security incident in DeFi so far this year.

The stolen ETH is now scattered across multiple chains, with approximately 30,765 ETH remaining in an address on the Arbitrum chain, worth over $70 million.

Just when everyone thought the story was over, a sequel emerged today.

According to on-chain security firm PeckShield, the funds in the hacker's address on the Arbitrum chain were transferred out a few hours ago. Strangely, the funds were moved to a bizarre address that appears to be almost all zeros: 0x00000...

Everyone was speculating: Did the hacker burn the funds by sending them to a black hole address? Or did they have a change of heart or get recruited?

Neither.

A few hours ago, the Arbitrum official forum posted an emergency action announcement explaining the situation. The hacker's funds were transferred by the Arbitrum Security Council.

However, the remarkable part is that without knowing the private key of the hacker's address, the Arbitrum Council neither froze the funds nor had the authority to transfer them. Instead, they directly issued a transfer instruction "in the name of the hacker."

The hacker was unaware, the private key was not leaked, and the on-chain records made it look like the hacker had performed the operation themselves.

The principle behind this operation is that all cross-chain messages between Arbitrum and Ethereum must pass through a bridge contract called Inbox. The Security Council used its emergency authority to temporarily upgrade this contract, adding a new function:

It allows sending cross-chain transactions in the name of any wallet address, without needing that wallet's private key.

They then used this function to forge a message, with the sender field filled as the hacker's wallet, and the content being "Transfer all my ETH to the frozen address." The Arbitrum chain received it and executed it as usual, resulting in the bizarre scene captured in the on-chain transfer screenshot above.

After transferring the hacker's funds, the contract was immediately downgraded back to its original version. The upgrade, forgery, transfer, and restoration were all completed within a single Ethereum transaction. Other users and applications were completely unaffected.

This operation is unprecedented in Arbitrum's history.

According to the forum announcement, the Security Council first confirmed the hacker's identity with law enforcement, pointing to North Korea's Lazarus Group, the most active state-level hacker organization in the DeFi space this year. The council conducted a technical assessment to ensure it would not affect other users before taking action.

Since the hacker was in the wrong first, this move carries a bit of a "don't blame us for not playing by the rules" sentiment. As for the subsequent handling of the frozen ETH, it will go through Arbitrum's DAO governance vote and be coordinated with law enforcement.

Recovering over $70 million in stolen funds is undoubtedly a good thing. But it's worth noting the prerequisite for achieving this: 9 out of the 12 members of the Security Council can sign to bypass all governance votes and upgrade any core on-chain contract with zero delay.

Praising the Outcome, Worrying about the Capability?

Currently, the community's reaction is divided.

Some think Arbitrum did a great job, protecting assets at a critical moment, which actually adds a bit of confidence in L2. Others ask a very direct question: If 9 people can sign to move any asset in anyone's name, can this still be called decentralization?

In my opinion, the two sides are actually talking about different things.

The former is talking about the result, the latter is talking about the capability. The result of this incident is certainly good—over $70 million in stolen funds was recovered. But the capability demonstrated by Arbitrum this time—to modify contract functions via multi-sig—is neutral in itself; what it is used for in the future, whether it can be used, and how it is used, all actually depend on the council's governance.

However, for most people using Arbitrum, this discussion might be less relevant than another fact. Arbitrum is not special; currently, almost all mainstream L2s retain similar emergency upgrade permissions.

The chain you are using most likely also has a similar Security Council with similar capabilities. This is not a unique choice by Arbitrum; it's almost a universal design for L2s at this stage.

Looking at it from another angle, this offensive and defensive battle actually reveals a bigger picture.

The attacker is North Korea's Lazarus Group, attributed to at least 18 DeFi attacks since the beginning of this year. Just three weeks ago, they stole $285 million from Drift Protocol using a completely different method.

On one side, state-level hackers are constantly upgrading their attack methods; on the other, L2s are starting to use underlying permissions to fight back. The security war in DeFi is entering a new stage, moving beyond "post-incident freezes, on-chain shouting, and praying for white hats to intervene."

In extraordinary times, they created a master key to open the hacker's address, and melted the key after use. Just judging by this incident alone, having the capability to respond to hacker attacks is not a bad thing.

And if we must elevate this to a philosophical discussion about "this is not decentralized at all," then there are many more things to talk about. The crypto industry has no shortage of centralized operations. This time, at least, it was handling a negative incident and solving a problem, not creating one.

Looking back more pragmatically, KelpDAO was robbed of $292 million, and only over $70 million was recovered—less than a quarter of the total. The remaining ETH is still scattered on other chains. Over $100 million in bad debt on Aave remains unresolved, and it's still unknown how much rsETH holders will get back.

Even though Arbitrum invoked god-like permissions, this battle is clearly far from over.

Preguntas relacionadas

QWhat was the approximate value of the ETH stolen from KelpDAO that remained on the Arbitrum chain?

AOver $70 million worth of ETH, specifically 30,765 ETH, remained on the Arbitrum chain.

QHow did the Arbitrum Security Council manage to move the hacker's funds without the private key?

AThe Security Council used its emergency powers to temporarily upgrade the Inbox bridge contract, adding a new function that allowed them to forge a cross-chain message that appeared to be from the hacker's address, instructing the transfer of all ETH to a frozen address.

QWhich hacker organization was identified as being responsible for the attack on KelpDAO?

AThe attack was attributed to the North Korean state-backed hacker group, Lazarus Group.

QWhat is a major concern raised by the community regarding the Arbitrum Security Council's action?

AA major concern is that the action demonstrates a lack of decentralization, as 9 out of 12 council members can sign to upgrade any core contract and move any assets without a governance vote.

QWhat percentage of the total stolen funds from KelpDAO was recovered through this action on Arbitrum?

ALess than a quarter of the total stolen funds were recovered. The action recovered roughly $70 million of the total $292 million stolen.

Lecturas Relacionadas

Single-Day Plunge of 30%, Arthur Hayes Suddenly Liquidates: Why Did ZEC Get Exploded by Security Issues?

On June 5th, Zcash founder Zooko Wilcox disclosed a critical soundness vulnerability in the project's latest Orchard privacy pool. This flaw, found in the elliptic curve multiplication constraints, could allow an attacker to create unlimited counterfeit ZEC within the shielded pool, with transactions appearing valid. The vulnerability was discovered in late May by security researcher Taylor Hornby, who utilized Anthropic's new Opus 4.8 AI model for a targeted audit. The Zcash ecosystem had already performed an emergency network upgrade to patch the issue. However, the detailed disclosure triggered severe market panic, causing ZEC's price to plummet over 30% in a single day. Notably, prominent investor Arthur Hayes announced he had sold his entire ZEC position following the news. The incident starkly challenges the "technological trust" narrative central to privacy coins. Despite years of top-tier cryptographic audits, the bug persisted until uncovered with advanced AI-assisted research. This highlights the growing gap between theoretical perfection and practical implementation in privacy technology. The event serves as a industry-wide warning: in an AI-driven security landscape, the assumption that "undiscovered equals safe" is obsolete. It underscores the urgent need for continuous, proactive security practices combining AI audits, formal verification, and rapid response mechanisms.