Arbitrum Pretends to Be a Hacker and “Steals Back” KelpDAO’s Lost Funds
TechFlow Selected TechFlow Selected
Arbitrum Pretends to Be a Hacker and “Steals Back” KelpDAO’s Lost Funds
Even though Arbitrum has invoked its god-mode privileges, this battle is clearly far from over.
Navigating Web3 tides with focused insightsAuthor: TechFlow
Last week, KelpDAO was hacked for nearly $300 million—so far the largest negative security incident in DeFi this year.
The stolen ETH is now scattered across multiple chains, with approximately 30,765 ETH remaining in a single address on Arbitrum—valued at over $70 million.
This story appeared to be over—until today, when a sequel emerged.
According to on-chain security firm PeckShield, funds from the hacker’s Arbitrum address were transferred out several hours ago. Strangely, they were sent to an unusual address consisting almost entirely of zeros: 0x00000...
Many speculated: Did the hacker voluntarily burn the funds into a black-hole address? Or had they experienced a change of heart—or even been “recruited”?
Neither.
A few hours ago, Arbitrum posted an emergency action notice on its official forum explaining the situation: The hacker’s funds were transferred—not by the hacker—but by Arbitrum’s Security Council.
Remarkably, without knowing the private key to the hacker’s address—and without freezing the funds or possessing transfer authority—the Council directly issued a transaction “in the hacker’s name.”
The hacker remained unaware; their private key was never compromised; and on-chain records appear indistinguishable from a self-initiated transaction.
The mechanism enabling this operation lies in Arbitrum’s cross-chain messaging infrastructure: All messages between Arbitrum and Ethereum pass through a bridge contract called the Inbox. The Security Council leveraged emergency privileges to temporarily upgrade this contract, adding a new function that allows issuing cross-chain transactions “on behalf of any wallet address”—without requiring that wallet’s private key.
Using this function, the Council forged a message listing the hacker’s wallet as sender, with content reading: “Transfer all my ETH to the freeze address.” Upon receipt, Arbitrum executed the instruction normally—producing the seemingly bizarre on-chain transfer visible in the screenshot above.
Immediately after completing the transfer, the contract was downgraded back to its original version. The entire sequence—upgrade, forgery, transfer, and downgrade—was executed atomically within a single Ethereum transaction, leaving all other users and applications unaffected.
This operation has no precedent in Arbitrum’s history.
Per the forum announcement, the Security Council first confirmed the hacker’s identity with law enforcement—pointing to North Korea’s Lazarus Group, the most active state-sponsored hacking group targeting DeFi this year. After conducting a technical assessment to ensure no adverse impact on other users, the Council proceeded.
Recovering over $70 million is undoubtedly positive. Yet the prerequisite for achieving this outcome warrants attention: Among the Council’s 12 members, just nine signatures suffice to bypass all governance voting and upgrade any core on-chain contract—zero latency, zero delay.
Celebrating the Outcome, Worried About the Power?
Community reaction to this incident remains sharply divided.
Some praise Arbitrum for acting decisively—safeguarding assets at a critical moment and even bolstering confidence in L2s. Others raise a direct question: If nine people can move any asset, in anyone’s name, does this system still qualify as decentralized?
In our view, these two perspectives aren’t debating the same thing.
The former focuses on the outcome; the latter, on capability. The outcome here is clearly positive—over $70 million recovered. Yet the Council’s demonstrated ability to multi-sig-modify contract logic is itself neutral: It was deployed against hackers this time—but what it may be used for, whether it *can* be used, and how it *will* be used, ultimately depend on the Council’s governance framework.
Still, for most Arbitrum users, this debate may feel less urgent than another reality: Arbitrum is not unique. Nearly all mainstream L2s currently retain similar emergency upgrade privileges.
The chain you’re using likely hosts a comparable Security Council—endowed with comparable powers. This isn’t an Arbitrum-specific choice; rather, it reflects a near-universal design pattern among L2s at this stage.
Viewed differently, this attack-and-response episode reveals a broader landscape.
The attacker is North Korea’s Lazarus Group—attributed to at least 18 DeFi attacks this year alone. Just three weeks ago, they stole $285 million from Drift Protocol using an entirely different technique.
On one side: A nation-state actor continuously refining its offensive capabilities. On the other: An L2 exercising foundational protocol-level permissions to mount countermeasures. The security war in DeFi is evolving beyond “post-incident freezing, on-chain appeals, and hopes for white-hat intervention”—entering a new phase.
Forging a master key during extraordinary circumstances to unlock the hacker’s address—and melting it immediately afterward—is, strictly speaking, evidence of capacity to respond to attacks—not a failing.
Yet if we insist on elevating this to a philosophical debate about “how decentralized is decentralized enough?”, then countless other centralized practices across crypto would also demand scrutiny. At minimum, this instance addresses a negative event and solves a problem—rather than creating one.
Returning to pragmatism: KelpDAO lost $292 million; $70 million was recovered—less than one-quarter of the total. The remainder remains scattered across other chains; over $100 million in bad debt on Aave remains unresolved; and rsETH holders’ recovery prospects remain uncertain.
Even with Arbitrum wielding “god-mode” privileges, this battle is clearly far from over.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
