Last week, KelpDAO was hacked, losing nearly $300 million, making it the largest DeFi security incident of the year so far.

The stolen ETH is now scattered across multiple chains, with about 30,765 tokens remaining in an address on the Arbitrum chain, worth over $70 million.
This story seemed to have ended, but today a sequel has emerged.
According to on-chain security firm PeckShield monitoring, the funds in the hacker's address on Arbitrum were transferred out a few hours ago, but strangely, these funds were sent to a bizarre address that appears almost entirely empty, starting with 0x00000...
Everyone was speculating at the time—did the hacker burn the money by putting it into a black hole address? Or did they have a change of heart or get turned in?
Neither.
A few hours ago, the Arbitrum official forum posted an emergency action notice explaining the situation. The hacker’s funds were transferred by Arbitrum’s Security Council.
Strangely, without knowing the hacker’s address private key, the council neither froze the hacker’s funds nor had the authority to transfer them, but instead issued a transfer command “in the name of the hacker.”
The hacker was unaware, the private key was not leaked, and on-chain records look as if the hacker operated it themselves.
The mechanism behind this is that all cross-chain messages between Arbitrum and Ethereum pass through a bridge contract called Inbox.
The security council used emergency permissions to temporarily upgrade this contract, adding a new function:
To send cross-chain transactions in the name of any wallet address, without needing that wallet’s private key.
They then forged a message using this function, with the sender set as the hacker’s wallet, containing the instruction “Transfer all my ETH to the frozen address.”
When Arbitrum received this, it executed as usual, resulting in the strange on-chain transfer screenshot above.
After transferring the hacker’s funds, the contract was immediately downgraded back to its original version.
Upgrade, forge, transfer, restore—all completed in a single Ethereum transaction.
Other users and applications were unaffected.
This operation was unprecedented in Arbitrum’s history.
According to the forum announcement, the Security Council confirmed the hacker’s identity with law enforcement beforehand, pointing to North Korea’s Lazarus Group, the most active state-level hacker organization in DeFi this year.
The council conducted a technical assessment to ensure no impact on other users before taking action.
Since the hacker’s misconduct was prior, this move is somewhat “don’t blame everyone for not playing fair.”
How the frozen ETH will be handled afterward depends on Arbitrum’s DAO governance vote and coordination with law enforcement.
Recovering over $70 million of stolen funds is certainly good, but it’s important to note that the premise for this was that 9 out of 12 members of the Security Council signed off, allowing them to bypass all governance votes and upgrade any core contract on-chain instantly.
Praise for the result, concern about the capability?
Currently, community reactions are quite divided.
Some believe Arbitrum did a great job, protecting assets at a critical moment and boosting confidence in L2. Others ask a very direct question: if 9 people can sign to act in anyone’s name and move any assets, is this still decentralization?
I think both sides are actually talking about different things.
The former is about the outcome; the latter about the capability.
The outcome is definitely positive—over $70 million recovered.
But the ability demonstrated by Arbitrum to modify multi-signature contract functions is neutral; how this capability is used—whether to pursue hackers, what they do with it, and how—is ultimately determined by the governance of the committee.
However, for most users of Arbitrum, this discussion might be less practical than a simple fact: Arbitrum is not unique.
Currently, most mainstream L2s retain similar emergency upgrade permissions.
Your chain probably also has a similar security council with comparable capabilities.
This is no longer a unique choice for Arbitrum; at this stage, most L2s have this common design.
From another perspective, this attack and defense reveal a bigger picture.
The attacker is North Korea’s Lazarus Group, attributed to at least 18 DeFi attacks this year.
Three weeks ago, they stole $285 million from Drift Protocol, using a completely different method.
On one side, state-level hackers are continuously upgrading their attack methods; on the other, L2s are starting to use underlying permissions for counterattacks.
DeFi security is moving from “post-incident freezing, on-chain calls, and hoping white hats intervene” into a new phase.
In a critical moment, they created a universal key to open the hacker’s address, then melted the key afterward.
From this alone, having the capability to counter hackers is not bad.
And if we elevate this to a philosophical debate about “decentralization,” there are many things to say.
The industry’s centralization practices are numerous; at least this time, they handled a negative event and solved the problem rather than creating one.
Looking pragmatically, KelpDAO was hacked for $292 million, but only about $70 million has been recovered, less than a quarter of the total.
The remaining ETH is still scattered across other chains, with over $100 million in bad debt on Aave yet to be resolved, and the amount rsETH holders can recover remains unknown.
Even with Arbitrum’s god-like permissions, this battle is far from over.