US Law Firm Moves to Block Frozen ETH From Kelp Exploit

A New York district court signed a restraining notice and three writs of execution to prevent the Arbitrum DAO from moving Ether believed to be tied to the Kelp exploit, according to a Friday post on the Arbitrum DAO forum by US law firm Gerstein Harrow LLP. The firm says its clients—unaffected by the Kelp exploit—won default judgments against North Korea in 2010, 2015 and 2016 and are owed about $877 million in compensatory and punitive damages, plus interest. It argues the stolen Ether is “property” in which the DPRK has a stake because the hacker group behind the attack is tied to the country.

The freeze comes as the Kelp DAO breach, which is believed to have been carried out by TraderTraitor, a North Korea–linked subgroup of Lazarus, sent shockwaves through the DeFi ecosystem. In the days that followed, Arbitrum’s Security Council moved to halt activity on a substantial amount of Ether tied to the incident—30,766 ETH, valued at over $73 million at the time—stewing in a wallet connected to the exploit.

The legal maneuver raises questions about who ultimately bears responsibility for losses tied to state-backed cyber operations and how recovered assets should be allocated when multiple parties claim stakes in stolen funds. Gerstein Harrow’s filing contends that the DPRK’s debt should be addressed without diverting funds away from the victims of the hack, a point raised by others in the community who warned that blocking the return of stolen funds to their rightful owners could shift the burden onto different victims who were themselves robbed.

Key takeaways

• A New York court has issued a restraining notice and three writs of execution to block the Arbitrum DAO from transferring frozen Ether linked to the Kelp exploit, according to Gerstein Harrow LLP.
• The law firm argues its clients hold approximately $877 million in a combination of compensatory and punitive damages against North Korea, plus interest, stemming from judgments in 2010, 2015 and 2016.
• Arbitrum’s emergency action previously froze 30,766 ETH (roughly $73 million at the time) held in a wallet associated with the Kelp attack, illustrating the ongoing friction between recovery efforts and legal claims.
• The Kelp hack, which occurred on April 18, is attributed to TraderTraitor, a Lazarus Group–linked actor, highlighting the intersection of cybercrime, sanctions enforcement, and crypto asset recovery.
• Gerstein Harrow has pursued similar efforts before, including cases involving funds frozen by Tether after the 2023 Heco Bridge hack and other DAO-related actions, underscoring a pattern of aggressive asset-claim strategies in crypto disputes.

Legal maneuvering around stolen assets and DAO freezes

According to the filing and public forum posts, the restraining notice seeks to prevent the release or movement of Ether seized in relation to the Kelp DAO breach. Gerstein Harrow frames its claim around three prior U.S. district court judgments against the DPRK, asserting that the government bears responsibility for the actions of the actor behind the attack. The firm contends the stolen Ether qualifies as property over which the DPRK maintains an interest because the hacker group is affiliated with the state. If the restraining order stands, victims of the Kelp exploit could face longer delays before recovering funds they believe belong to them or to sanctioned entities that claim an ownership stake.

In a related development, Arbitrum’s governance forum and community discussions have highlighted a potential path for victims. On April 25, Aave Labs proposed unfreezing the $73 million in Ether tied to the Kelp breach and redirecting those assets to DeFi United, a fund aimed at restoring rsETH and compensating holders. The proposal underscored a broader debate about how to reconcile restitution for criminal activity with the interests of legitimate token holders and DeFi participants.

One Arbitrum DAO member, posting under the handle Zeptimus, noted that if Gerstein Harrow’s action succeeds, the DPRK debt could theoretically be transferred to the Kelp DAO victims. The commentary captured the tension between pursuing accountability for state-backed cyber actors and ensuring that the victims of theft do not bear the burden of a geopolitical debt, a point echoed by other community voices who emphasize the need for a principled approach to asset recovery.

Gerstein Harrow’s ongoing litigation strategy

Gerstein Harrow has a history of pursuing claims on behalf of clients seeking a share of funds frozen or stolen in crypto incidents tied to sanctioned actors. In February, the firm filed a claim related to funds frozen by Tether after the 2023 Heco Bridge hack. The practice has also involved class actions against various DAOs and, in public commentary, has faced scrutiny from on-chain investigators who have questioned the firm’s use of research in court documents to support asset claims. For example, ZachXBT publicly accused the firm of leveraging his research to stake claims stemming from another major incident, illustrating the contentious nature of legal action in the crypto space.

Overall, the episode sits at the crossroads of sanctions enforcement, cybercrime attribution, and the evolving governance of frozen crypto assets. It also highlights the persistent question of how to allocate recovered funds when multiple plaintiffs and jurisdictions claim an interest, especially when a state actor is implicated in the underlying theft. The Kelp incident has sharpened debates about how to balance punitive measures against sanctioned states with practical restitution for individual victims and DeFi participants alike.

North Korea–affiliated actors have faced accusations of stealing at least $578 million across major incidents in April alone, reinforcing the perception of a coordinated, high-volume campaign against crypto networks. The Bybit hack and other exposures have further linked Lazarus Group operations to several high-profile breaches, prompting ongoing scrutiny from investigators and policymakers alike. In the wake of these actions, the crypto community is watching how courts will adjudicate claims to seized or frozen assets and whether recovery will advance or stall as legal strategies unfold.

As the dispute evolves, readers should monitor upcoming court filings and governance council decisions in Arbitrum as well as any further moves by Gerstein Harrow to recover or allocate seized assets. The balance between accountability for state-linked hacking and equitable restitution for victims remains unsettled, with the next steps likely to influence how similar cases are approached in the rapidly evolving landscape of crypto asset recovery and DAO governance.