Judge Margaret Garnett of the Southern District of New York issued a two-page order on May 9, 2026, lifting enough of an earlier restraint to allow Arbitrum DAO delegates to vote on-chain to release the frozen ETH. The order explicitly shields governance participants from personal legal liability for voting in favor of the transfer. It does not, however, erase the underlying claim: families holding three unpaid terrorism judgments totalling over $877 million against North Korea retain the right to pursue those funds if their case succeeds in court.

The ETH at the center of this dispute traces back to the April 18 KelpDAO exploit, a $292 million attack attributed by LayerZero to North Korea's Lazarus Group and considered the worst DeFi hack of the year. KelpDAO, a liquid restaking protocol co-founded by Amitej Gajjala and Dheeraj Borra in Bengaluru, India, lost 116,500 rsETH tokens after attackers compromised two off-chain RPC nodes and used a distributed denial-of-service (DDoS) attack to force a failover. Gajjala and Borra also co-founded Stader Labs, and Gajjala previously served as Head of Strategy at Swiggy, India's largest food-tech company.

This tricked LayerZero's verification system into approving a fraudulent cross-chain message. The vulnerability was not a flaw in a smart contract but in the infrastructure configuration: KelpDAO had deployed a single-verifier setup, known as a 1-of-1 DVN (decentralised verifier network) configuration, that LayerZero had previously flagged as a security risk.

The attacker deposited roughly 89,500 rsETH into Aave V3 as collateral and borrowed an estimated $190 to $230 million in ETH and other assets, leaving Aave with hundreds of millions in bad debt.

Aave's total value locked fell by more than $8.4 billion within 48 hours, and total DeFi TVL dropped by over $13 billion across the same period. In response, seven protocols, Aave, Lido, EtherFi, Ethena, Mantle, Ink Foundation, and BGD Labs, formed DeFi United, described as the first coordinated multi-protocol recovery effort in DeFi history. The coalition pooled approximately $320 million in ETH; the Arbitrum DAO's 30,765 ETH represents the largest single planned contribution. LayerZero separately pledged 10,000 ETH, worth around $23 million.

The planned destination for the Arbitrum ETH is a 3-of-4 Gnosis Safe multi-sig wallet at 0xf228130ce4fAB082C7D5522c90833cec83A9C15e, with signatories from Aave Labs, KelpDAO, Certora, and EtherFi.

The goal is to restore the full backing of rsETH for holders who were affected. Before any transfer can execute, a formal Constitutional Arbitrum Improvement Proposal must complete an on-chain vote followed by an approximately eight-day waiting period. The Constitutional AIP was co-authored by Aave Labs, KelpDAO, LayerZero, EtherFi, and Compound and published on April 25, demonstrating the breadth of industry cooperation behind the recovery effort. Arbitrum delegates already backed the plan with over 90% support in a non-binding Snapshot temperature check. The full governance timeline is estimated at around 49 days from the original forum proposal.

The legal complications began on May 1, when attorney Charles Gerstein of Gerstein Harrow filed a restraining notice on behalf of families holding terrorism judgments against North Korea, including relatives of a U.S. national killed by the North Korean government who won a $300 million court award in 2015. On May 5, Aave LLC filed an emergency motion to void the restraining notice, challenging the legal basis for the freeze. Judge Garnett's May 9 order followed, modifying the earlier restraint to allow the governance vote to proceed.

Gerstein's argument rests on the Foreign Sovereign Immunities Act and the Terrorism Risk Insurance Act: because the exploit has been attributed to the Lazarus Group, a North Korean state-linked hacking collective, the frozen ETH may qualify as DPRK property that can be seized to satisfy outstanding court judgments. Gerstein Harrow has pursued this same legal theory in earlier actions, previously suing Railgun DAO on allegations that it laundered North Korean assets and suing Digital Currency Group over a 2022 token purchase. The pattern points to a systematic litigation strategy aimed at applying sanctions-attribution arguments across DeFi platforms.

Blockchain investigator ZachXBT pushed back sharply on that framing. "This is a predatory U.S. law firm with a strategy that is pure evil," he wrote on X, accusing Gerstein Harrow of leveraging ZachXBT's own published blockchain research on Lazarus to pursue what ZachXBT called "26-year-old terrorism judgments."

"When all they did is read my posts after I did the difficult part of gathering evidence to support the freeze."

The case carries direct relevance beyond US borders. KelpDAO's Bengaluru origins made it a natural entry point for South Asian retail users drawn to liquid restaking yields. The protocol's collapse, and the subsequent legal freeze of recovery funds, illustrates how infrastructure failures at South Asian-founded protocols can generate multi-jurisdictional consequences affecting users across regions. India's ongoing regulatory debates around DeFi have frequently used incidents of offshore exploitation as justification for domestic crypto restrictions, and the KelpDAO case, which involves a state-level adversary in North Korea, an Indian-founded protocol, and a US blockchain, is a textbook example of the multi-jurisdictional complexity Indian authorities regularly cite when weighing domestic DeFi policy.

For African crypto developers and users, the precedent is similarly pointed: a US court has now demonstrated it can assert jurisdiction over a decentralized protocol's frozen assets and block fund movements globally. TRM Labs' 2026 research found that North Korea accounts for 76% of all crypto hack value recorded that year, and exchanges in Nigeria, Kenya, and South Africa have repeatedly served as downstream recipients of Lazarus-laundered funds. Several DeFi projects active in those markets are built on or integrated with Arbitrum, and any DAO treasury holding ETH on Ethereum-compatible chains could theoretically face similar claims if a future exploit is attributed to a state actor. For compliance teams across the continent already monitoring Lazarus activity, the jurisdictional reach on display here is not a distant abstraction.

Aave is also using the crisis to overhaul its internal standards. Linda Jeng, Aave Labs' Chief Legal and Policy Officer and a former official at the Federal Reserve, the Treasury Department, and the SEC, announced expanded collateral listing criteria that will now include cybersecurity risk, interoperability standards, and technical architecture review alongside traditional financial metrics. "Out of a crisis like this, it ups our standards," Jeng told CoinDesk on May 7.

A formal minimum-standards playbook for asset issuers is planned. For DAO delegates still watching the Arbitrum vote play out, Judge Garnett's order offers meaningful legal cover for casting their votes. Without such protection, governance participants would have had no formal shield against personal legal liability simply for voting, a structural gap in DAO legal design that this case has made impossible to ignore.

That gap, however, remains only partially closed. Aave governance forum delegates 0xDonPepe and TodayInDeFi publicly flagged that while Aave Labs and the Security Council receive indemnification protections under the Constitutional AIP, individual DAO delegates still lack direct indemnification or defense-cost advancement for their own votes. For developer communities building governance infrastructure on decentralized protocols, that unresolved question may be the most consequential takeaway from the entire episode: courts can now reach into on-chain governance processes, and the people casting those votes may still be doing so without a legal safety net.