Arbitrum’s Security Council executed a clean intervention. Using a privileged system-level transaction, they froze 30,766 ETH worth $71 million linked to the KelpDAO exploit, completely bypassing the attacker’s wallet controls. Dragonfly partner Haseeb Qureshi confirmed the funds were transferred to an intermediary frozen wallet where they can only be moved by further governance action.
The intervention worked exactly as designed. And it immediately told the attacker what they needed to know.
Within hours of the freeze, the KelpDAO hacker moved all 75,700 ETH remaining on Ethereum into two fresh wallet addresses. Then, over the following 36 hours, converted nearly all of it to Bitcoin.
The route was deliberate. THORChain for the bulk of the cross-chain swaps. Umbra Cash for smaller privacy-focused transfers. Chainflip as a secondary exit ramp. Three decentralized protocols, none of which require identity verification or centralized approval. By the time the conversion was complete, analysts confirmed less than 0.768 ETH remained in the original exploiter wallet, not enough to cover future transaction fees. The exit was complete.
What the Freeze Actually Revealed
Arbitrum froze the ETH. As we covered when this hack first broke, the original exploit minted approximately $293 million worth of unbacked rsETH through a vulnerability in KelpDAO’s LayerZero-powered bridge, draining over $200 million in real WETH from Aave before markets could react. LayerZero’s postmortem attributed the attack to North Korean state-sponsored hackers, the Lazarus Group.
The Arbitrum freeze was a genuine success on its own terms. $71 million recovered through governance action. That is meaningful. But the freeze also served as a real-time demonstration of exactly which assets a sophisticated attacker considers safe and which they do not.
The attacker did not convert to USDC. Circle can freeze USDC wallets with a phone call and has done so dozens of times following exploit events. The attacker did not stay in ETH on Ethereum mainnet where governance councils and security researchers were actively watching. The attacker converted to Bitcoin.
Not because Bitcoin is fast. THORChain swapping $175 million in ETH to Bitcoin took 36 hours. Not because Bitcoin has better privacy. Blockchain analytics firms tracked every transaction in real time. EmberCN reported the laundering progress publicly as it happened.
Because Bitcoin has no Arbitrum Security Council. No Circle. No governance vote that can reach into a wallet and remove funds. The attacker chose the final destination specifically because that destination has no kill switch.
The THORChain Number That Should Not Be Ignored
The conversion generated $800 million in trading volume on THORChain in roughly 36 hours. The protocol earned approximately $910,000 in fees from processing the stolen funds. THORChain’s typical daily volume ranges between $10 million and $35 million. The hack moved eight months of average volume through the protocol in a day and a half.
THORChain was modelled after Bitcoin, to be permissionless and censorship resistant.
There’s no single person or entity in control of the protocol. There’s no admin key. There’s no 2-of-3 multisig. Currently, there’s 95 nodes spread globally that control the network. For the… pic.twitter.com/Za2Obrh9dO
— THORChain (@THORChain) April 21, 2026
THORChain’s operators publicly stated neutrality on the source of funds. The protocol is decentralized, governed by nodes rather than a company, and has no mechanism to selectively block transactions based on their origin. Umbra Cash pulled its hosted frontend offline and placed it in maintenance mode after the attacker used it, citing ongoing recovery efforts.
The contrast between the two responses tells you something about where the intervention pressure lands. Umbra, which has a hosted frontend and a development team, could respond. THORChain, which has neither a company nor a centralized decision-maker, processed $800 million in laundering volume and earned fees from it.
This is not a criticism of THORChain’s design. It is a description of it. A decentralized protocol that cannot be pressured into blocking transactions is also a protocol that cannot be pressured into blocking transactions for any reason. That property is the feature. It is also the risk surface.
The Pattern That Keeps Repeating
The Drift Protocol attacker converted stolen funds to Bitcoin after the April 1 exploit. The KelpDAO attacker converted stolen funds to Bitcoin after the April 18 exploit. North Korean state-sponsored hackers attributed to both attacks by blockchain analytics firms chose the same exit rail.
Every sophisticated attacker operating at scale in 2026 appears to be arriving at the same conclusion independently. USDC can be frozen. ETH on governed chains can be frozen. Bitcoin cannot be frozen.
This is the same conclusion Iran arrived at when building its Hormuz toll payment system. The same conclusion that drove $800 million of the Strategic Bitcoin Reserve argument. The same property that Bitwise CIO Matt Hougan called an out-of-the-money call option on Bitcoin functioning as a neutral global settlement layer.
Bitcoin does not know who is using it. A sovereign state collecting oil transit fees and a state-sponsored hacker laundering stolen DeFi funds arrive at the same property through entirely different paths. Censorship resistance is not selective. The asset does not care.
Aave is now managing $196 million in bad debt from the KelpDAO incident according to CEO Stani Kulechov. Total DeFi TVL dropped $14 billion in the aftermath. Thirty thousand ETH is frozen in Arbitrum governance limbo. And $175 million in Bitcoin is moving through wallets that no governance council can reach.
The freeze worked on the ETH. It told the attacker exactly where to go next.
