A high-stakes legal fight over funds tied to the KelpDAO exploit has taken a new turn after lawyers representing victims of North Korean terrorism reframed the incident as credit fraud rather than simple crypto theft. The legal shift matters because the classification could influence whether roughly 30,766 ETH, worth about $71 million, remains frozen under a U.S. court order or is released for a DeFi recovery plan.
The disputed ETH was frozen on Arbitrum after the April 18, 2026 exploit involving KelpDAO’s rsETH bridge. A U.S. District Court in the Southern District of New York issued a restraining order on May 1 preventing Arbitrum DAO from moving those funds while families with unpaid terrorism judgments against North Korea pursue a claim. The plaintiffs are trying to attach the assets under laws that allow victims to pursue property connected to state sponsors of terrorism.
The case now sits at the intersection of crypto security, sanctions enforcement, DeFi governance and victim compensation. For the DeFi industry, the frozen ETH was expected to become a major piece of a recovery effort after the KelpDAO exploit disrupted Aave markets and created a large bad-debt problem. For the plaintiffs, the same funds may represent one of the few reachable pools of value connected to North Korea-linked cyber activity.
What Happened in the KelpDAO rsETH Exploit?
The exploit began on April 18, when attackers linked by blockchain investigators to North Korea’s Lazarus Group drained about 116,500 rsETH, worth roughly $292 million, from KelpDAO’s LayerZero-based bridge infrastructure. Chainalysis described the incident as an attack on off-chain infrastructure, not a traditional smart contract bug. The attackers reportedly compromised internal RPC nodes and disrupted external nodes, allowing a single-verifier system to accept false data about a token burn that never happened.
In plain English, the bridge was tricked into releasing tokens on Ethereum as if matching tokens had been burned elsewhere. But that upstream burn did not exist. The result was a large amount of rsETH that appeared valid on-chain but was not properly backed.
OpenZeppelin reached a similar conclusion, writing that no smart contract bug had been publicly identified. The contracts performed as written, but the broader operational setup around cross-chain verification failed. That distinction is central to the wider debate because it shows that DeFi risk is no longer limited to code bugs. Infrastructure, configuration, off-chain data, and trust assumptions can be just as dangerous.
How the Attack Hit Aave
After obtaining the rsETH, the attackers used it as collateral across DeFi lending protocols, including Aave. Galaxy Research said the stolen tokens were deposited mainly on Ethereum and Arbitrum, allowing the attacker to borrow an estimated $236 million in WETH and wstETH. The same report said 112,204 rsETH became unbacked on the bridge adapter, creating severe stress across lending markets.
Aave’s own incident report said the rsETH bridge exploit was an external event and that Aave’s contracts, oracles and liquidation mechanics functioned as designed. Still, the damage to collateral backing created two possible bad-debt scenarios: about $123.7 million under uniform loss socialization or $230.1 million if losses were isolated to L2 rsETH.
This is why the legal label matters. If the event is treated simply as theft, the argument may focus on stolen property and downstream victims. If it is treated as fraud, especially credit fraud, lawyers can argue that the attackers used deceptive collateral to extract loans from Aave, making the borrowed ETH proceeds part of a fraudulent credit transaction.
Why Lawyers Are Calling It Credit Fraud
The new legal theory appears designed to strengthen the plaintiffs’ claim over the frozen assets. In a simple theft framing, the attacker stole rsETH from KelpDAO. But in a credit fraud framing, the attacker allegedly used unbacked or fraudulently obtained rsETH as collateral to borrow real ETH from Aave and other markets.
That distinction is critical because the 30,766 ETH frozen on Arbitrum may not be the original stolen rsETH. It is downstream value connected to the attacker’s borrowing activity. By arguing that the exploit involved fraudulent borrowing, lawyers can try to connect the frozen ETH more directly to the underlying North Korea-linked operation and to the legal tools available for victims of state-sponsored terrorism.
The plaintiffs reportedly hold unpaid terrorism judgments against North Korea totaling more than $877 million, excluding interest. Their lawyers argue that the frozen ETH should be treated as property tied to the Democratic People’s Republic of Korea because the exploit has been attributed to Lazarus Group, a state-linked hacking organization.
Arbitrum’s Freeze Created a Legal Opening
The legal battle would likely look very different if the funds had not been frozen. According to Chainalysis, the Arbitrum Security Council, coordinating with law enforcement, froze more than 30,000 ETH of the attacker’s downstream funds after the exploit.
Galaxy Research said the Arbitrum Security Council moved 30,766 ETH into an intermediary frozen wallet that could only be acted upon through Arbitrum governance. The move was meant to prevent laundering and preserve value for recovery efforts.
But that emergency intervention also made the funds more reachable. Once assets are immobilized and identified, they become a potential target for court orders. Unchained reported that the restraining order now blocks Arbitrum DAO from moving the ETH and creates a competing claim against funds that the DeFi recovery coalition had expected to use for compensation.
This creates an uncomfortable lesson for decentralized governance. Freezing funds can stop criminals from laundering stolen assets, but it may also bring those assets into the reach of traditional courts, creditors, and legal claimants.
DeFi Recovery Effort Faces a Complication
Before the court order, the frozen ETH was expected to play a major role in the broader recovery effort for the KelpDAO rsETH incident. A coalition involving Aave, KelpDAO, LayerZero and other ecosystem participants had been working on a plan to restore backing and reduce losses across affected markets.
Unchained reported that the DeFi United recovery initiative had gathered more than $311 million in pledges, including large ETH commitments from major ecosystem participants. The 30,766 ETH frozen by Arbitrum was expected to be the single largest contribution.
That plan is now harder. If a court keeps the ETH frozen for terrorism judgment creditors, DeFi users and protocols may need to rely more heavily on other pledged funds. If the court releases the ETH for the recovery plan, the terrorism victims may lose a rare chance to collect against North Korea-linked assets.
Neither outcome is simple. One group includes users and protocols directly harmed by the April exploit. The other includes families holding long-standing judgments against a sanctioned state accused of supporting terrorism.
North Korea’s Crypto Hacking Problem Keeps Growing
The case also highlights the growing financial role of North Korean cyber operations. Chainalysis attributed the KelpDAO exploit to attackers linked to Lazarus Group, and the firm described the incident as a sophisticated off-chain infrastructure attack rather than a standard smart contract failure.
North Korea-linked groups have repeatedly targeted crypto exchanges, bridges, DeFi protocols and infrastructure providers because digital assets can move quickly and across borders. For years, law enforcement agencies and blockchain intelligence firms have warned that stolen crypto helps fund North Korea’s regime and weapons programs.
That broader context explains why terrorism creditors are watching crypto hacks so closely. If North Korea-linked hackers steal or move digital assets, those assets may become one of the few practical recovery targets available to judgment holders.
Why This Case Matters for Crypto Law
The KelpDAO dispute could become an important test case for how courts treat hacked crypto, DeFi governance actions, and frozen on-chain assets. It raises several difficult questions.
Can a DAO-controlled wallet be restrained by a U.S. court? Who has authority to respond when a security council freezes assets? Should frozen exploit proceeds go to direct protocol victims or external judgment creditors? How should courts classify an exploit involving forged collateral and borrowed funds? And when North Korea is linked to an attack, do sanctions and terrorism laws override DeFi recovery plans?
The answers may affect future incidents. If courts can successfully attach frozen assets, legal claimants may become more aggressive after major hacks. If DAOs resist or ignore orders, they may face new scrutiny. If security councils hesitate to freeze assets because of legal complications, hackers may gain more time to launder funds.
What Users Should Watch Next
The next key step is the legal process around the restraining order and any divestiture or ownership hearing. A court will need to decide whether the plaintiffs’ claim is strong enough to keep the ETH frozen and eventually redirect it toward terrorism judgments, or whether the assets can be released for the DeFi recovery plan.
Aave, Arbitrum, KelpDAO, LayerZero and affected users will be watching closely. So will lawyers, blockchain investigators, DAO governance teams, and DeFi risk managers.
For everyday crypto users, the case offers a practical reminder: DeFi risks do not end when an exploit is detected. Recovery can become a legal fight, especially when state-linked hackers, frozen funds, governance votes and cross-border claims are involved.
A Defining Moment for DeFi Recovery
The KelpDAO exploit began as a technical and operational failure in cross-chain infrastructure. It quickly became a DeFi liquidity crisis. Now it has become a legal dispute over whether frozen ETH should compensate direct crypto victims or long-standing victims of North Korean terrorism.
The decision to recast the incident as credit fraud is more than legal wordplay. It is an attempt to define what really happened: not just a theft of rsETH, but a fraudulent borrowing scheme that turned unbacked collateral into real ETH.
Whatever the court decides, the case is likely to shape how the crypto industry thinks about recovery. Freezing stolen funds may stop hackers, but it can also open the door to competing claims. For DeFi, that means the next major exploit may not end on-chain. It may end in court.