Arbitrum Freezes 30,766 ETH Tied to $290M KelpDAO Exploit

Ethereum

Arbitrum Freezes 30,766 ETH Tied to $290M KelpDAO Exploit

• Arbitrum secures 30,766 ETH worth $70.97M, moving funds to frozen wallet.
• The KelpDAO hack totaled roughly $290 million to $292M after attackers drained rsETH.
• LayerZero blamed North Koreas Lazarus Group and pointed to weak security settings.

Arbitrum has recovered $70.97 million in ETH tied to the recent KelpDAO exploit, taking emergency action to secure 30,766 ETH that had been sitting on Arbitrum One.

The funds were moved from addresses linked to the attacker into a frozen intermediary wallet controlled through governance safeguards.

According to Arbitrum, the assets are no longer accessible to the exploiter and can only be moved through future governance action coordinated with relevant parties.

Emergency Action Secures 30,766 ETH

Arbitrum said its Security Council acted with input from law enforcement regarding the exploiters identity.

After technical review, the council used a targeted method to move the ETH without affecting other users, apps, or the broader chain state. The transfer was completed on April 20 at 11:26 p.m. ET.

Blockchain intelligence platform Arkham said the seized amount totaled $70.9 million. Meanwhile, the recovery follows a much larger exploit that hit KelpDAO for roughly $290 million to $292 million.

Attackers drained rsETH through KelpDAOs cross-chain bridge powered by LayerZero. The stolen rsETH was then reportedly used as collateral to borrow funds across DeFi lending markets.

This created an immediate bad debt risk. Notably, if fake collateral is accepted for loans, lenders may be left with losses when the collateral fails.

Lazarus Group Blamed

LayerZero said early analysis points to North Korea‘s Lazarus Group, specifically the TraderTraitor unit. The company said the exploit targeted downstream RPC nodes used in a decentralized verifier network rather than exploiting LayerZero’s core protocol.

According to LayerZero, two RPC nodes were compromised while DDoS attacks hit uncompromised nodes, allowing false transaction verification during the theft. LayerZero also said malicious files were designed to self-delete after the attack.

LayerZero said KelpDAO used a single-verifier setup instead of a multi-verifier model that had previously been recommended. More independent verifiers create redundancy, as one weak point is harder to exploit when several checks are required.

David Schwartz added that many bridge systems look secure in theory, but teams often avoid stronger protections because they add operational cost and complexity.