The Arbitrum Security Council executed an emergency upgrade to freeze 30,766 ETH from an address involved in the KelpDAO exploit. As part of the recovery effort, $71 million in ETH was moved from the exploiter's wallet into a frozen intermediary address. The funds will remain frozen until an Arbitrum DAO vote approves further action.

Council member Patrick McCorry explained that the council briefly modified the chain's inbox contract on L1 to include a function enabling cross-chain messages that could impersonate any sender. Using this capability, a single transaction impersonated the exploiter's address to transfer the funds. Immediately afterward, the inbox contract was restored to its original state.

The Arbitrum DAO will need to decide how to allocate the recovered funds. It will need to determine whether to use them to compensate Aave users for losses or return them to KelpDAO to help restore rsETH backing.

Update (May 4, 2026): A U.S. law firm has filed a restraining notice in SDNY seeking to claim the frozen 30,766 ETH for its own clients, citing the exploit's attribution to North Korea's Lazarus Group. Aave LLC has filed an emergency motion to vacate the notice and is requesting a $300M bond if it stands. The DAO transfer vote remains legally blocked pending the court's decision.

EarnUSD is a stablecoin vault by Lido for earning transparent, onchain USD-denominated rewards. Get started today at stake.lido.fi/earn

Disclaimer: Content is for informational purposes only, not endorsement or investment advice. The accuracy of information is not guaranteed.

LayerZero published a statement claiming the $290 million KelpDAO exploit stemmed from a sophisticated RPC-poisoning attack that manipulated its DVN's verification process. It attributed the attack to the TraderTraitor subgroup of North Korea's Lazarus Group. According to LayerZero, the attackers compromised RPC nodes and fed forged data directly to the DVN while masking activity from monitoring systems.

LayerZero Labs placed responsibility on KelpDAO, arguing its 1-of-1 DVN configuration enabled the exploit, even though LayerZero's own DVN was the sole verifier KelpDAO relied on. LayerZero stated that it will no longer support single-DVN setups. The company also did not outline any intentions to compensate impacted users. Aave subsequently froze WETH and LST markets as the exploit rippled through DeFi.

EarnUSD is a stablecoin vault by Lido for earning transparent, onchain USD-denominated rewards. Get started today at stake.lido.fi/earn

Disclaimer: Content is for informational purposes only, not endorsement or investment advice. The accuracy of information is not guaranteed.

Eth.limo, a Web2 gateway that enables ENS domains to be accessed over HTTPS, suffered a domain hijack on April 17, 2026. An attacker impersonated a team member and successfully tricked the DNS registrar EasyDNS into carrying out a fraudulent account recovery request.

The attacker then redirected the nameservers as part of a phishing campaign attempt, however, the attack was effectively contained, with resolvers returning SERVFAIL responses, thanks to DNSSEC. EasyDNS regained control of the account and reversed the malicious nameserver changes within eight hours of the incident. EasyDNS CEO Mark Jeftovic publicly apologized for the incident. Eth.limo says it plans to migrate to Domainsure, which eliminates account recovery options.

EarnUSD is a stablecoin vault by Lido for earning transparent, onchain USD-denominated rewards. Get started today at stake.lido.fi/earn

Disclaimer: Content is for informational purposes only, not endorsement or investment advice. The accuracy of information is not guaranteed.