When one layer-2 froze the hacker's funds, the other $175 million found a path through the one bridge that doesn't ask permission.
The Summary
- Kelp DAO exploiter moved 75,701 ETH ($175M) through THORChain and Umbra into fresh wallets on April 21, while Arbitrum's security council froze another $71M worth of stolen funds.
- THORChain's 24-hour volume spiked to $394M, more than 11x its typical sub-$35M daily average, revealing exactly how much bandwidth permissionless bridges provide for large-scale laundering.
- The split outcome proves the paradox: censorship resistance is both crypto's greatest feature and its greatest liability, depending on which side of the $292M exploit you're standing on.
The Signal
Arkham Intelligence tracked the movement of funds suspected to belong to North Korea's Lazarus Group, the actors behind the original Kelp DAO exploit. The hacker routed the majority through THORChain, a decentralized cross-chain liquidity protocol with no KYC requirements and no governance council with freeze powers. While Arbitrum managed to freeze 30,000 ETH through its Security Council, that intervention only touched a fraction of the total haul.
The numbers tell the story of two different kinds of infrastructure. Arbitrum's layer-2 has a multisig that can pause contracts and freeze assets. THORChain doesn't. One saved $71 million. The other processed $175 million in stolen ETH without breaking a sweat.
"THORChain's volume surged to $394 million in 24 hours, more than 11x its normal daily flow."
This wasn't subtle. The swap volume spike was visible to anyone watching on-chain data. But visibility doesn't mean intervention is possible. THORChain's architecture is designed for permissionless cross-chain swaps. No human can stop a transaction, even when everyone knows it's dirty money moving in real time. The protocol processed the thief's swaps the same way it processes yours: automatically, atomically, without judgment.
The Arbitrum freeze sparked immediate debate in crypto circles about what decentralization actually means. A Security Council that can pause funds is exactly the kind of administrative backstop that prevents catastrophic loss. It's also exactly the kind of centralized control point that makes Ethereum layer-2s look more like databases with extra steps. CoinTelegraph confirmed the Arbitrum council's intervention saved a meaningful chunk of the stolen funds, but only because the hacker left them sitting on a chain with a kill switch.
Key contrasts that matter:
- Arbitrum has a Security Council with emergency powers. THORChain has code that executes regardless of who's running it.
- One chain stopped $71M from moving. The other moved $175M because stopping wasn't in the protocol design.
- Both choices are features, not bugs. The question is which feature set you're building for.
The exploit itself hit Kelp DAO for approximately $292 million total. What happened next revealed the infrastructure reality: if you want censorship resistance, you get it for everyone. If you want emergency brakes, you give up the claim to full decentralization. There's no middle path where the good guys can intervene but the bad guys can't. The protocol either has a God mode or it doesn't.
The Implication
If you're building on layer-2s, understand what you're inheriting. Arbitrum's Security Council saved users from a bigger loss this time. Next time, it might freeze funds you think are legitimate. THORChain processed the largest single-day volume in its history because its design makes no distinction between clean and dirty capital. Neither approach is wrong. They're optimized for different threat models.
For users: where you hold assets determines whether anyone can save you or stop you. That's not a bug in crypto's design. It's the whole point. The Kelp DAO hack made the tradeoff visible at $292 million scale.