Inside Arbitrum’s Decision to Take Back Stolen $72M From North Korea
Kelp DAO exploits looked gone for good. Griff Green explains why Arbitrum stepped in
By: Zack Guzman
April 22, 2026
For years, crypto hacks have followed a familiar script: Money gets drained quick, disappears faster, and (usually) no one can stop it. But sometimes, desperate times call for desperate measures.
This week, after roughly $300 million was siphoned out of KelpDAO in a cascading exploit that rippled through DeFi protocols like Aave, a portion of those funds — about $72 million in ETH — sat idle just long enough for something unprecedented to happen. A small group of elected participants inside Arbitrum made a call that’s now sending shockwaves across crypto. Arbitrum intervened, and took it back.
Griff Green, a member of Arbitrum’s Security Council and a veteran of the original DAO hack in 2016 that prompted Ethereum to roll back that hack, was somehow once again at the center of the decision.
“We were able to use our emergency powers to take these funds out of the North Korea address and freeze them in a new address that they don’t have access to,” he told Coinage.
That decision, executed after more than nine of 12 security council members voted in favor of it, may go down as one of the more consequential governance decisions in DeFi since Ethereum itself chose to fork after its own existential crisis nearly a decade ago. But as Green explains, this isn't about sacrificing some holy pact that intervention is never allowed. It's about reaching consensus that serves its users (and prevents more stolen funds from going to North Korea's hacking group —the suspected culprits of the hack.)
"The reality of the situation is that things are not immutable. It's always run on social consensus. If everyone agrees, we can change it," Green said. "That's true for Ethereum, Bitcoin or anything."
The exploit itself was messy. A bridge vulnerability allowed attackers to siphon tokens from Layer 2 environments, which were then deposited into lending protocols like Aave as collateral to borrow ETH. That ETH, according to investigators coordinating behind the scenes, was linked “beyond a reasonable doubt” to North Korean actors. But unlike most hacks, the funds weren’t immediately laundered. They sat still for two days. People waited and wondered what might happen next. As Coinage has covered in the past, it's not impossible for hackers to return funds, as one hacker once did in 2023 with $200 million. It's just extremely rare.
“It’s very rare that an attacker just leaves funds in one address for that long,” Green said. “That was what really enabled us to take this action.”
Behind the scenes, a coordinated effort involving Arbitrum’s Security Council and white-hat response group called SEAL 911 raced to identify a viable path to intervene. And while the plan worked, people are now also raising questions about the prospect of the same type of token retrieval process being used against their own funds. To Green, this was a unique case.
"Given that it's almost certainly North Korea and it's $70 million and there's existential risk to DeFi, and my role is to uphold the Arbitrum Constitution and do what I think is right for Arbitrum, and I really believe in action," he said. "We've been watching North Korea just attack crypto over and over again. ... It's so nice to actually get a win."
While acknowledging the concern for immutability, Green mentioned doing nothing would have meant allowing tens of millions of dollars to flow into the hands of a sanctioned nation-state actor that has repeatedly targeted the crypto ecosystem.
In total, North Korea is responsible for billions of dollars in stolen crypto — including more than $2 billion last year, and hundreds of millions this year. Most recently, the North Korean hackers stole more than $280 million from Drift Protocol earlier in April. And given that Arbitrum's Security Council was established for this exact purpose, the decision was ultimately made.
“All it takes for evil to triumph is for good men to do nothing,” Green said, echoing the reasoning behind his vote.
Despite recovering $72 million in Ethereum, the implications of the hack are still hanging over DeFi. Jeffries analysts wrote a note after the exploit mentioning prices could be pressured due to the debt remaining on AAVE, and that the the event could “temporarily slow TradFi adoption as security risks are re-evaluated.”
For now, the immediate question is what happens to the recovered funds. Unlike the intervention itself, that decision won’t be made by the Security Council. The $72 million has been handed over to Arbitrum’s DAO, where token holders will vote on how to distribute it back to affected users.
"Arbitrum DAO is not going to release these funds unless 100% of it goes straight into users hands," Green said.
Coinage is a community-owned DAO letting our NFT holders become actual co-owners in one of the fastest-growing Web3 media outlets. Mint an NFT and become a member today to open a path to patronage dividends, or stake with us to support our project.
