$292M Bridge Forgery and the US Law Firm That Tried to Steal the Recovery

LayerZero V2 cross-chain messages depend on a Decentralized Verifier Network. In KelpDAO's configuration at the time of the attack, that network was set to a single verifier — a design decision flagged in third-party security reviews months earlier but not corrected.

According to LayerZero's own post-mortem, on the morning of April 18 the attacker first compromised two specific RPC nodes serving the protocol — replacing their binaries with a malicious version that would, when polled, return forged confirmation data. Then the attacker DDoS'd the remaining clean nodes, forcing the bridge's failover logic to choose the malicious nodes. The verifier, polling what it thought were healthy peers, signed off on a cross-chain message that claimed 116,500 rsETH had been deposited on a source chain when in fact no deposit had occurred.

The destination chain accepted the message. The vault released the rsETH. The destination chain has no on-chain way to validate that the source chain claim was true — that is the whole reason cross-chain messaging is hard. The verifier is the trust assumption. The verifier had been hijacked at the infrastructure level.

This is not a Solidity bug. It is an operational supply-chain compromise of the kind that is becoming the dominant DeFi attack class of 2026. CoW Swap (April 14), Neutrl (March 19), eth.limo (April 17–18), Bonk.fun (March 12) — all four were registrar or DNS social-engineering attacks, not smart contract attacks. KelpDAO/LayerZero adds RPC node compromise to the list.

The 116,500 unbacked rsETH was then used as collateral in Aave, which holds rsETH as a permitted asset. The attacker borrowed against the rsETH and withdrew approximately $236 million in WETH from Aave's pools. A separate 40,000-rsETH (~$95M) follow-on attempt was blocked when LayerZero pushed an emergency configuration change.

Aave's pools were left short. The community debate around whether Aave's risk parameters should have permitted rsETH collateral at the size it did is a separate piece. The relevant point here is that the contagion magnified the size of the loss by roughly 80 percent — from $292M nominal to $236M in additional drawn liquidity on a separate protocol.

On April 20–21, the Arbitrum Security Council voted to freeze 30,766 ETH (~$71M) of the attacker's funds that had been bridged onto Arbitrum. The freeze worked by directing those funds to address `0x0000000000000000000000000000000000000DA0` — a burn-style sink address from which redirection requires another council vote.

The freeze was technically successful. It was also politically explosive. Arbitrum had been marketing itself as a decentralised L2 for years; a council freeze of a specific user's funds is the loudest demonstration imaginable that decentralisation is, in practice, a spectrum. The crypto-libertarian internet had its reaction. The compliance internet had a different reaction. Both sides, for once, had a real example to argue over.

For Sanctuary's part, the freeze was an unalloyed positive. $71 million more than would have otherwise been recoverable was held in place. Compliance is downstream of someone, somewhere, being willing to act. The Arbitrum council acted. THORChain — see below — did not.

The unfrozen $175 million moved fast.

Beginning April 22, the attacker bridged 75,700 ETH out of Ethereum mainnet through THORChain. THORChain, post-eXch shutdown, has emerged as the dominant cross-chain laundering rail of 2026. TRM Labs estimates that 76 percent of all DPRK theft value in 2026 has at some point routed through THORChain. The protocol's design is governance-light by intention; there is no operator who can freeze a swap mid-route. KelpDAO's lawyers, like Bybit's lawyers before them and Ronin's lawyers before that, found out that "no operator" is a feature, not a bug, and an unsolvable problem from a recovery standpoint.

Once on the Bitcoin side, the funds split. Some went into mixer-adjacent wallets — Wasabi, CryptoMixer — patterns identical to the Bybit February 2025 laundering. Some went through Umbra Cash, an Ethereum-side stealth-address protocol that allows a sender to direct payments to one-time addresses derived from a recipient's published key. Umbra's frontend went into maintenance mode shortly after Umbra's team observed the KelpDAO-attributable inflows; the team published a short post confirming approximately $800,000 had moved through their infrastructure before the maintenance.

The maintenance mode was not a censorship event in the OFAC sense. It was the kind of practical pause that infrastructure teams running compliance-conscious privacy primitives have been forced into repeatedly through 2025–2026. Privacy Pools, Railgun, and other "compliance-friendly" privacy systems have explicit Association Set Provider mechanics designed for exactly this situation. Umbra has different ergonomics and faced the question without a built-in answer.

On April 30, Gerstein Harrow LLP filed a restraining order in SDNY. The filing claimed that the $71M frozen on Arbitrum — and any subsequent recoveries — should be redirected to the firm's clients. The clients are American citizens with judgments against North Korea under the Foreign Sovereign Immunities Act terrorism exception, dating from a 1997 Hamas bombing in Jerusalem. The judgments have been outstanding for years; the United States has very few practical mechanisms to enforce judgments against North Korea, and crypto recovery proceeds are one of the few asset pools that the firm believes can be reached.

The same firm filed an analogous claim against the Tether $344M Iran freeze on May 15, 2026, under the same theory — that frozen crypto traceable to a designated state sponsor of terrorism can be redirected to terrorism-judgment creditors.

The legal theory is not crazy. It has been used to attach assets in conventional banking systems for years. What makes it acutely controversial in the crypto context is that the frozen crypto in the KelpDAO case was stolen from depositors of a DeFi protocol — not from any sovereign asset of North Korea. The thieves were DPRK-attributed. The funds were depositor funds. Redirecting recovery to terrorism creditors means depositors who lost funds in an exploit are second in line behind a fund holding a 30-year-old judgment.

ZachXBT's framing — "pure evil" — landed because the asymmetry is stark. KelpDAO depositors are private investors who lost money in the present. The terrorism creditors are also victims, with valid, painful claims. Both are victims. Neither was responsible for what Lazarus did. The court is being asked to allocate one finite pool of money between two non-overlapping victim groups, with depositors having no representation and no warning.

As of May 15, 2026, the matter is unresolved. The Arbitrum freeze remains in place. The Gerstein motion is pending. KelpDAO has announced a "DeFi United" creditor reorganisation program intended to return value to depositors over a multi-quarter wind-up, contingent on the legal outcome.

The pre-attack signal in this case was textbook.

Five funder wallets received 0.0978 ETH each from the Tornado Cash 0.1 ETH pool in the days before the attack. The 0.0978 figure is what remains after Tornado's withdrawal fee — meaning each of those five wallets is a confirmed Tornado withdrawal recipient. Sanctuary's `tornado_cash_recipient` detector scores these wallets at 70–85 within an hour of the withdrawal. The score is durable: it stays high for weeks because Tornado funding is one of the strongest negative signals our engine carries.

Those five wallets then funded the gas for the attacker's exploit-execution wallets. The funding pattern — small, identical, equal-amount fan-out from Tornado withdrawal recipients to fresh operational wallets — is exactly the kind of pre-attack tell that any wallet-screening engine watching Tornado downstream traffic should fire on.

For Aave specifically, the borrowing wallet would have inherited the Tornado downstream flag at hop depth two. Aave's risk system does not screen wallet behaviour, only collateral and position size. That is a design decision, not an oversight — but it is also why the contagion magnified the loss. A risk system that incorporated wallet-screening signal would have flagged the position before drawdown.

For exchanges and CASPs now: any deposit address that received a hop from the attacker's Ethereum-side EOA, `0x8b1b6c9a6db1304000412dd21ae6a70a82d60d3b`, inherits a Critical flag in Sanctuary at configurable hop depth. THORChain inflows from that wallet are flagged at hop one. Umbra-pool transactions adjacent to the KelpDAO attacker cluster carry a `stealth_address_laundering` tag.

For DeFi protocol teams using LayerZero or other cross-chain messaging: the verifier configuration is your trust assumption. If you operate a single verifier, you have a single point of failure. If you operate a small set of verifiers, they need to be operationally independent — different cloud providers, different network paths, different on-call teams. Concentrated infrastructure means concentrated risk.

For L2s with security councils: the Arbitrum freeze sets a precedent. The political cost of acting was high, but the practical effect — $71M recovered for KelpDAO depositors — is large. Other L2s now face the question of whether they have the social legitimacy to act in similar circumstances. Optimism, Base, ZKsync, Linea — each has different governance models. KelpDAO is the case study future councils will reference.

For lawyers reading: the Gerstein theory will be tested in court. If it succeeds, expect similar claims against every future major DPRK-attributed recovery. If it fails, expect a refined version next time. Either way, the depositor representation question — who speaks for the people who lost money in the exploit, against later-arriving creditors — is now a structural problem in crypto recovery proceedings.

The freeze is the loud part. The lawsuit over the freeze is the part that determines who is made whole.

In 2026, recovering stolen crypto is not the last step. It is the start of a multi-party fight over the asset pool. Compliance vendors, councils, lawyers, and victims will be in that fight together for years. The wallets, at least, are not in dispute. The wallets are on-chain. Screen them.