Executive Summary
Earlier this week the Arbitrum Security Council acted to freeze more than 30,000 ETH tied to the recent KelpDAO exploit, a move worth roughly $71 million. Within hours the attacker shifted over 75,000 ETH—about $175 million—to the Ethereum mainnet and began bridging the funds into Bitcoin. Security research firm Peckshield confirmed the chain of movements, underscoring the speed and scale of the breach.
What Happened
The Arbitrum Security Council identified and locked 30,766 ETH that had been linked to the KelpDAO exploit. This freeze was executed on the Arbitrum network, effectively preventing the immediate use of the stolen assets on that layer‑2 chain.
Hours after the freeze, the exploiter transferred 75,701 ETH to the Ethereum mainnet. The movement represented a clear attempt to evade the restrictions imposed on Arbitrum. Once on Ethereum, the attacker initiated bridging transactions that moved the ETH into Bitcoin, signaling a rapid cross‑chain exit strategy.
Peckshield, a security research firm, traced the flow of funds and verified both the freeze on Arbitrum and the subsequent bridge to Bitcoin. Their analysis provides the most concrete public evidence of the attacker’s tactics.
Background / Context
KelpDAO, a decentralized autonomous organization focused on liquidity provisioning, suffered a sizable exploit that allowed an attacker to siphon a large amount of ETH. While the exact vulnerability has not been publicly detailed, the scale of the loss prompted immediate action from the broader ecosystem.
Arbitrum, a leading layer‑2 scaling solution for Ethereum, operates a Security Council that can intervene in exceptional cases. The council’s decision to freeze the stolen ETH demonstrates the growing willingness of layer‑2 governance bodies to intervene directly when large‑scale theft threatens network stability.
Cross‑chain bridging has become a common exit route for attackers, allowing them to move assets away from the original chain and complicate recovery efforts. The rapid bridge from Ethereum to Bitcoin in this case illustrates how attackers exploit existing liquidity pathways to diversify and obscure stolen funds.
Reactions
Security researchers at Peckshield praised the swift response by the Arbitrum Security Council, noting that the freeze limited the attacker’s ability to manipulate the assets on the layer‑2 network. The firm also highlighted the importance of real‑time monitoring tools that can detect large, anomalous transfers across chains.
Members of the broader Ethereum community expressed mixed feelings. Some lauded the proactive stance of the Arbitrum council, while others warned that freezing assets could set precedents for future governance interventions that might clash with the decentralized ethos of the ecosystem.
Regulators have not yet issued statements, but the incident adds to ongoing discussions about how decentralized platforms should handle illicit activity and asset recovery.
What It Means
The incident underscores the evolving role of layer‑2 security councils as de‑facto custodians in emergency situations. By freezing a substantial portion of the stolen ETH, Arbitrum effectively limited the attacker’s liquidity on its network, forcing the malicious actor to shift tactics.
However, the subsequent transfer to Ethereum and the bridging to Bitcoin reveal the limits of such interventions. Once assets move to the base layer, the council’s jurisdiction ends, and the attacker can leverage the broader ecosystem’s liquidity to obscure the trail.
For developers and auditors, the breach serves as a reminder that DAO contracts remain high‑value targets. Strengthening code audits, implementing multi‑signature controls, and establishing rapid response frameworks are likely to become higher priorities.
What Happens Next
Peckshield will continue to monitor the Bitcoin address that received the bridged funds, looking for signs of further movement or attempts to cash out. The Arbitrum Security Council may also pursue legal avenues to reclaim the frozen ETH, though the outcome will depend on jurisdictional considerations and the ability to trace the funds through the Bitcoin network.
Meanwhile, KelpDAO’s community is expected to discuss remediation steps, potentially including a proposal to reimburse affected participants from a treasury reserve or through a community‑driven fund‑raising effort.
The broader crypto ecosystem will likely watch closely, as the incident could influence how other layer‑2 platforms design their emergency response mechanisms and how security firms prioritize cross‑chain monitoring tools.