Arbitrum’s Security Council froze $71 million that is 30,766 ETH in funds linked to the hacker who exploited Kelp DAO’s LayerZero-powered bridge for roughly $292–294 million in rsETH about 116,500 tokens, or ~18% of circulating supply on April 18, 2026.
The freeze moved the ETH from a hacker-controlled address on Arbitrum One to an intermediary frozen wallet accessible only via future Arbitrum governance approval; coordinated with law enforcement. The council described it as an emergency action taken after technical diligence, without disrupting the network or other users. They noted input from law enforcement on the attacker’s identity.
The Original Exploit
The attacker tricked Kelp DAO’s cross-chain bridge built on LayerZero’s Omnichain Fungible Token/OFT standard by forging a cross-chain message. This allowed unauthorized release of rsETH from the bridge contract on Ethereum mainnet. The stolen rsETH was quickly used as collateral on lending protocols to borrow ETH and other assets, creating bad debt risks that prompted some platforms to pause or freeze related markets.
Preliminary reports attribute the attack to North Korea’s Lazarus Group or similar sophisticated actors, involving compromised RPC nodes feeding tainted data to a LayerZero verifier, combined with DDoS attacks on other nodes to force reliance on the compromised one.
The exploit succeeded because Kelp DAO used a single-verifier (1-of-1 DVN) configuration, with LayerZero Labs as the sole decentralized verifier network. They claim they had repeatedly warned partners against this setup and recommended multi-verifier redundancy for security. The attack only worked due to this single point of failure.
Kelp DAO’s view: They push back, arguing the 1/1 setup was LayerZero’s documented default and onboarding configuration and relied on LayerZero’s own infrastructure and guidance. They blame a breach in LayerZero’s RPC nodes and verifier rather than their own choices. This highlights ongoing tensions in cross-chain infrastructure: applications choose their own security stack (number of verifiers/DVNs), but defaults and recommendations matter.
The core LayerZero protocol itself wasn’t directly hacked in the traditional sense—the issue was at the application configuration and compromised supporting infrastructure (RPCs). After the freeze on Arbitrum, the hacker or associated addresses began moving other stolen assets. Reports indicate roughly $175 million in ETH was relocated to fresh Ethereum addresses, suggesting active attempts to launder or disperse funds across chains despite the partial recovery.
The Arbitrum portion represented about 25% of the total stolen value. This is the largest DeFi exploit of 2026 so far and triggered broader market reactions, including temporary TVL drops and contagion concerns across lending platforms holding rsETH collateral. Critics on platforms like X questioned a 12-member Security Council unilaterally freezing funds without a full governance vote, seeing it as a centralization risk—even if done for recovery and with law enforcement input.
Defenders view it as a pragmatic emergency response in a permissionless system where stolen funds can otherwise be laundered quickly. Events like this underscore vulnerabilities in bridges and ooracle and verifiers, especially single points of failure, RPC dependencies, and configuration choices. The frozen ETH’s fate now depends on Arbitrum governance.
Full recovery of the remaining funds is uncertain, as the hacker is actively moving assets. Crypto security remains a cat-and-mouse game—sophisticated actors; state-linked or otherwise continue targeting infrastructure weaknesses, while protocols and chains experiment with emergency tools. Users should stay cautious with bridged assets and monitor official updates from Kelp DAO, Arbitrum, and LayerZero.
