Arbitrum Poses as Hacker, 'Steals' Back Money Lost by KelpDAO
Original Title: "Arbitrum Pretends to Be a Hacker, Recovers Stolen Funds for KelpDAO"
Last week, KelpDAO was hacked, losing nearly $300 million, marking the largest DeFi security incident of the year so far.
The stolen ETH is now scattered across multiple chains, with around 30,765 remaining in an address on the Arbitrum chain, valued at over $70 million.
Just when everyone thought the story had concluded, a new episode unfolded today.
According to on-chain security firm PeckShield, the funds in the hacker's address on the Arbitrum chain were transferred out a few hours ago, but strangely, these funds were sent to an address that appears to be mostly zeros, like 0x00000...
At that time, everyone was speculating: Did the hacker burn the funds in a black hole address? Or did they have a change of heart or accept a bribe?
Neither.
A few hours ago, an emergency action notice was posted on the Arbitrum official forum explaining the situation. The hacker's funds were transferred by Arbitrum's Security Council.
Interestingly, without knowing the hacker's address's private key, the Arbitrum Council neither froze the hacker's funds nor had the authority to transfer them; instead, they directly issued a transfer instruction "on behalf of the hacker."
The hacker themselves was unaware, the private key was not compromised, and the on-chain records appear as if the hacker conducted the operation.
The principle behind this operation is that all cross-chain messages between Arbitrum and Ethereum go through a bridge contract called the Inbox. The Security Council used emergency powers to temporarily upgrade this contract, adding a new function:
To send a cross-chain transaction on behalf of any wallet address without requiring that wallet's private key.
They then used this function to forge a message, with the sender's address being the hacker's wallet and the content stating “Transfer all my ETH to the frozen address.” When the Arbitrum chain received it, the strange scene captured in the on-chain transfer screenshot occurred.
After transferring the hacker's funds, the contract immediately self-destructed back to its original state. The upgrade, the forgery, the transfer, and the recovery were all bundled into one Ethereum transaction. Other users and applications were not affected at all.
This operation has no precedent in Arbitrum's history.
According to a forum announcement, the Security Council had confirmed the hacker's identity with law enforcement in advance, pointing to the North Korean Lazarus Group, the most active state-level hacker organization in the DeFi space this year. The council conducted a technical assessment, ensuring no impact on other users before taking action.
Since the hacker acted maliciously first, this move is somewhat akin to a "no honor among thieves" situation. As for how to handle the frozen ETH in the future, it will go through a vote in Arbitrum's DAO governance process, in coordination with law enforcement.
Being able to recover over $70 million in stolen funds is certainly a positive outcome. However, it's worth noting the precondition for achieving this: among the 12 members of the Security Council, 9 signatures are sufficient to bypass any governance vote and smoothly upgrade any core contract on the chain.
Applauding the outcome, Concerns about authority?
Currently, the community's response to this incident is quite divided.
Some see Arbitrum's actions as commendable, protecting assets at a critical moment and even boosting confidence in L2. Others pose a direct question: if 9 signatures can move any assets in anyone's name, does this still qualify as decentralization?
From the author's perspective, both sides are not actually discussing the same thing.
The former is talking about the outcome, while the latter is discussing authority. The outcome of this incident is undoubtedly positive, with over $70 million in stolen funds recovered. However, the ability demonstrated by Arbitrum this time with the multi-signature contract function is neutral in itself; how it will be used in the future, what it can do, and how it can be done actually depend on the committee's governance.
However, for most users of Arbitrum, this discussion may not be as practical without another fact. Arbitrum is not unique in this aspect, as most mainstream L2 solutions currently retain similar emergency upgrade capabilities.
The chain you are using most likely also has a similar Security Council with similar capabilities. This is not a unique choice for Arbitrum. At this current stage, most L2 solutions have this common design.
Looking at it from a different perspective, this attack and defense has actually revealed a larger picture.
The attacker was North Korea's Lazarus Group, which has been attributed to at least 18 DeFi attacks this year. Just three weeks ago, they stole $285 million from Drift Protocol using a completely different method.
On one side, state-level hackers are continuously upgrading their attack methods, while on the other side, L2 is beginning to use underlying permissions to fight back. The security battle in DeFi is transitioning from "post-attack freezing, on-chain announcements, praying for whitehat intervention" to a new stage.
In a very extraordinary move, a universal key was created to unlock the hacker's address, and after the task was completed, the key was destroyed. Just based on this incident, the ability to withstand hacker attacks is not bad.
And if we must elevate the matter to a philosophical discussion of "this is not at all decentralized," then there is much to discuss. There are numerous centralized operations in the crypto industry, but this time at least, the focus was on handling the negative event and resolving the issue, rather than causing a negative event.
Returning to a more pragmatic view, KelpDAO was stolen $292 million, only over $70 million has been recovered, which is less than a quarter of the total. The remaining ETH is still scattered across other chains, over $100 million bad debt on Aave is still unresolved, and the amount rsETH holders will recover is still unknown.
Even though Arbitrum invoked its God-mode permission, it is clear that the battle is far from over.
Original Article Link
You may also like
Morning Report | BitMine increased its holdings by 126,971 ETH last week; trader Eugene announced his exit from the crypto market
Wang Chuan: How can one not feel anxious after the neighbor Old Wang made thirty times profit by investing in storage stocks? (Seven) - A quarter-century cycle
Cryptocurrency CEXs are flocking to sell US stocks, and traditional brokerages are facing an "uninvited guest."
$75 billion in foreign capital has fled, and South Korean retail investors have absorbed it all using leverage
Japan’s Three Megabanks Plan Joint Stablecoin Issuance in Fiscal 2026
MUFG, SMBC, and Mizuho reportedly plan to jointly issue fiat-pegged stablecoins in fiscal 2026, signaling Japan’s growing push into bank-led digital payment infrastructure.
Humanity Discloses H Token Dual-Chain Attack Details, With Losses on Ethereum and BSC Exceeding $36 Million
Humanity said the H token attack across Ethereum and BSC caused more than $36 million in losses after leaked ProxyAdmin keys enabled malicious contract upgrades and token minting.
White House Discusses CLARITY Act With Law Enforcement Ahead of Senate Vote
The White House discussed the CLARITY Act with law enforcement ahead of a Senate vote, focusing on illicit finance risks and developer protections.
Bitcoin Trading Guide 2026: Strategies for Experienced Traders
What Is XAUT and PAXG? Why Tokenized Gold Is Booming in 2026
Will the SpaceX IPO Hurt Bitcoin? Here's What Traders Are Watching
Foreign selling in the South Korean stock market accelerates, with cumulative net sales reportedly reaching $75 billion this year
On June 9, The Kobeissi Letter, citing Goldman Sachs data, reported that global investors are selling South Korean stocks at an unusually rapid pace. In the latest trading session, foreign investors sold about $801 million worth of Kospi constituent stocks again; total foreign outflows last week reached about $10 billion, and the market has been in net foreign selling on nearly every trading day over the past month. According to the data cited in the report, foreign investors have sold about $75 billion worth of South Korean stocks so far this year. Meanwhile, South Korean retail and institutional investors together recorded roughly $69 billion in net buying over the same period, suggesting that the market’s main buying support has come from domestic capital rather than returning overseas funds. The information currently disclosed still mainly comes from The Kobeissi Letter’s retelling and Goldman Sachs data summaries, while public details on the statistical period and the specific definition of “selling” remain relatively limited.
Fortune Warns of Strategy’s Financing Structure Risks as Bitcoin Premium Narrows
Fortune warned that Strategy’s Bitcoin treasury model faces growing financing risks as MSTR’s net asset premium narrows and preferred stock dividend pressure increases.
Ferrari Challenge Le Mans: Carl Moon to Dominate in WEEX Livery
Sahara AI Responds to SAHARA’s Sharp Drop: No Contract or Product Security Issues Found, Internal Investigation Underway
Sahara AI responded to SAHARA’s 60% price drop, saying no token contract or product security issues have been found and an internal investigation is underway.
WEEX Deposit/Withdrawal Dynamic Island: Your Asset Status, Always in Sight
Scaling Crypto Derivatives: The Digital Asset Infrastructure Behind High-Volume Trading
In the fast-moving digital asset ecosystem, derivatives platforms face an extreme architectural test. High-leverage futures markets demand more than just standard security—they require absolute operational precision, zero-latency matching engines, and ironclad structural scalability, all while navigating intense market volatility.
As global platforms scale to meet these demands, the industry is shifting away from rigid, monolithic setups toward a more agile, "decoupled" infrastructure philosophy.
The Blueprint for High-Volume Copy TradingFor elite global exchanges like WEEX (founded in 2018), this architectural choice becomes critical when scaling high-volume retail features like social copy trading. When thousands of users automatically mirror the real-time strategies of elite traders simultaneously, it triggers sudden, monumental spikes in concurrent transactional volume.
To prevent execution latency or settlement bottlenecks during these peak volatility events, a platform's primary engine must remain entirely dedicated to risk management, copy-trade synchronization, and order matching.
The Architectural Rule: New-generation platforms must separate front-end user execution engines from heavy backend infrastructural overhead to eliminate operational friction.
By separating these layers, platforms can maintain complete sovereignty over their trading environments and user experiences while strategically aligning with institutional-grade infrastructure ecosystems. This strategic framework allows modern exchanges to leverage advanced Digital Asset Custody infrastructure such as Cobo’s behind the scenes, ensuring that backend wallet management scales elastically alongside trading spikes.
Capitalizing on Market Momentum and 400× LeverageIn a derivatives arena where platforms offer up to 400× leverage on perpetual contracts, capital efficiency and market agility are core business metrics. To capture market momentum, an exchange needs the ability to rapidly expand its asset offerings, supporting everything from legacy crypto assets to sudden, trending altcoins across a massive library of trading pairs.
Adopting a flexible, scalable Wallet-as-a-Service (WaaS) solution such as Cobo’s could completely rewrite the development timeline for high-growth exchanges. Instead of spending months of engineering capital building out custom backend wallet architectures for every new blockchain network, platforms can deploy localized infrastructure in days.
This agility allows platforms to instantly scale their listings to over a thousand trading pairs without compromising security or delaying time-to-market. It mirrors the exact operational advantages seen during high-velocity market events, similar to how advanced wallet infrastructure empowers platforms during sudden asset surges; allowing exchanges to pass that speed and liquidity directly to their global user base.
A Mature Foundation for GrowthThe synergy between trusted infrastructure ecosystems and global trading platforms represents the natural evolution of a maturing crypto market. As WEEX continues to scale its global spot and derivatives offerings for over 6 million users, adopting robust backend paradigms proves that platforms no longer have to compromise between cutting-edge trading velocity and uncompromised structural security.
Get Paid to Onboard? Try WEEX’s New Homepage with Rewards for Registration, Deposit & Trade
WEEX Custom Layout: Build Your Perfect Trading Workspace in Seconds
Morning Report | BitMine increased its holdings by 126,971 ETH last week; trader Eugene announced his exit from the crypto market
Wang Chuan: How can one not feel anxious after the neighbor Old Wang made thirty times profit by investing in storage stocks? (Seven) - A quarter-century cycle
Cryptocurrency CEXs are flocking to sell US stocks, and traditional brokerages are facing an "uninvited guest."
$75 billion in foreign capital has fled, and South Korean retail investors have absorbed it all using leverage
Japan’s Three Megabanks Plan Joint Stablecoin Issuance in Fiscal 2026
MUFG, SMBC, and Mizuho reportedly plan to jointly issue fiat-pegged stablecoins in fiscal 2026, signaling Japan’s growing push into bank-led digital payment infrastructure.
Humanity Discloses H Token Dual-Chain Attack Details, With Losses on Ethereum and BSC Exceeding $36 Million
Humanity said the H token attack across Ethereum and BSC caused more than $36 million in losses after leaked ProxyAdmin keys enabled malicious contract upgrades and token minting.
Popular coins
Latest Crypto News
