Arbitrum has recovered 30,766 Ethereum tokens, worth approximately $70.97 million, from wallets linked to the KelpDAO exploit, executing an on-chain intervention that removed the attacker’s control of the funds.
Arkham Intelligence broke the news, along with analytics regarding the development, in a recent X post. The recovery follows what is now considered the largest DeFi exploit of 2026, adding significant weight to the operation.
The $292M KelpDAO Ethereum Exploit
The recovery traces back to a major breach on April 18, when hackers drained about $294 million from KelpDAO, a liquid restaking protocol built on Ethereum. The attack targeted KelpDAO’s cross-chain infrastructure, specifically its LayerZero-powered bridge. A configuration flaw in that route allowed the attacker to generate or release over 116,500 unbacked rsETH tokens.
These tokens were then used across DeFi platforms as if they were legitimate collateral. This way, the attacker extracted real assets, including ETH, from lending protocols. Within hours, they consolidated tens of thousands of ETH across multiple wallets. They also routed some of the funds through mixers such as Tornado Cash to obscure their origin.
Early findings from LayerZero identified North Korea’s notorious Lazarus Group as the perpetrator. The scale and method of the attack triggered widespread disruption across DeFi markets and protocols. As a result, multiple analysts classify the exploit as the largest so far this year.
Arbitrum Security Council Executes Emergency Action
Following the exploit, a portion of the stolen funds remained on Arbitrum. The Arbitrum Security Council initiated an emergency response to secure those assets. After technical analysis and internal deliberation, the Council executed a transfer that moved 30,766 ETH from the exploiter’s address.
On-chain data confirms the funds were sent to an intermediary frozen wallet, effectively removing access from the attacker. The funds can only be moved by Arbitrum governance, which has promised to coordinate with the relevant parties before taking any further action.
This was not a reversal of transactions but a deliberate transfer executed through Arbitrum’s security framework, isolating the assets from further movement.
The Security Council stated that it took the action with input from law enforcement regarding the exploiter’s identity. However, no specific agencies were named, and no operational details were disclosed.
KelpDAO Exploiter Wallet Activity
Arkham data shows that the exploiter-controlled entity held substantial assets prior to the recovery, with Ethereum forming the majority of the portfolio. Following the intervention, the attacker still holds over $174 million in assets, with Ethereum accounting for about 98%.
Before the intervention, the attacker had begun moving smaller amounts of funds across multiple transactions, likely attempting to fragment holdings and reduce traceability. Thus, the recovery targeted a large remaining balance before further dispersal could occur.
The intervention represents one of the few instances where a major DeFi exploit was met with direct asset recovery at the protocol level, rather than passive tracking alone. The response shows that large ecosystems are increasingly able to intervene when funds remain under their control.
Temitope Olajide
