1. The Filing and Its Immediate Consequence
On May 1, the U.S. District Court for the Southern District of New York authorized a restraining notice barring Arbitrum DAO from moving 30,765 ETH — worth approximately $71.1 million — that its Security Council had frozen following the $292 million Kelp DAO bridge exploit on April 18. Attorney Charles Gerstein of Gerstein Harrow LLP posted the notice directly to Arbitrum's governance forum, serving it in a format explicitly designed for a decentralized organization that has no conventional registered agent or physical address. The legal mechanism used was New York Civil Practice Law and Rules §5222(b), a creditor enforcement tool that allows the freezing of assets through a restraining notice without first obtaining a new court order — though the target retains the right to challenge the underlying claim at a subsequent divestiture hearing. The effect was immediate: the Arbitrum DAO's planned governance vote to release the ETH to a coordinated DeFi recovery effort, which had accumulated 99% support on a Snapshot vote that opened April 30, was placed in legal jeopardy before it could be executed.
2. Who Is Behind the Filing and Why
The plaintiffs behind Gerstein's filing are not opportunistic creditors. They are families holding three separate U.S. federal court judgments against the Democratic People's Republic of Korea — judgments that are fully valid under American law but that have never been paid because North Korea has no accessible sovereign assets in the United States against which collection can be enforced. The three underlying cases span decades and represent some of the most serious allegations of DPRK-sponsored violence ever adjudicated in a U.S. court. The Calderon-Cardona case is linked to the 1972 Lod Airport massacre in Israel, in which gunmen killed 26 people, including 17 Puerto Rican pilgrims, in an attack a U.S. court subsequently found to have DPRK involvement. The Kim case involves a South Korean family — Han Kim and Yong Seok Kim — whose relative, Reverend Kim Dong-shik, was abducted in China by North Korean agents and presumed to have died under detention. The Kaplan case is tied to Hezbollah rocket attacks that a U.S. court linked to North Korean state support. Together, the writs of execution filed by Gerstein total approximately $877 million, excluding decades of accrued interest.
3. The Legal Theory: Stolen Property as DPRK Property
The central argument Gerstein advances is built on U.S. attribution findings. LayerZero, the cross-chain protocol whose infrastructure was exploited in the Kelp DAO attack, publicly attributed the breach to the Lazarus Group — the North Korean state-sponsored hacking unit that U.S. and international authorities have linked to over $3 billion in cryptocurrency theft across multiple years. Gerstein argues that because the Lazarus Group is an arm of the DPRK state apparatus, the 30,765 ETH that Arbitrum's Security Council froze and placed under DAO governance control constitutes North Korean property under the Foreign Sovereign Immunities Act and the Terrorism Risk Insurance Act — two U.S. statutes that, together, permit the attachment of foreign state assets to satisfy valid terrorism-related court judgments. If a court accepts that legal theory, the families holding unpaid DPRK judgments would have a legally senior claim over the frozen ETH ahead of the rsETH depositors who were the direct victims of the exploit.
4. The Counter-Argument: A Thief Acquires No Title
The filing drew immediate and direct pushback from within Arbitrum's governance community. Delegate Zeptimus articulated the counter-argument in terms that go to the foundations of property law: a thief acquires no title to stolen property, and the ETH in the frozen address is not property in which North Korea has a legitimate interest — it is stolen property that belongs to the rsETH depositors from whom it was taken. Under that analysis, the Lazarus Group's theft did not transfer ownership of the ETH to the DPRK state — it transferred possession, without legal title, to a criminal actor. The frozen ETH is therefore not "North Korean property" subject to attachment by terrorism creditors; it is stolen property subject to return to its rightful owners, who are the Kelp DAO users whose funds were drained. Zeptimus argued that accepting Gerstein's theory would produce a morally and legally indefensible outcome: shifting the cost of North Korea's unpaid terrorism debt onto a completely different set of victims who were themselves robbed by North Korean actors in the same incident.
5. Personal Liability for DAO Members Is a Real Risk
One of the most practically significant elements of the restraining notice is its scope of service. The U.S. court authorized Gerstein to serve the notice not only by posting it to the governance forum but also by mailing copies to legal entities affiliated with Arbitrum DAO, members of the Arbitrum Security Council, and large holders of ARB tokens — a distribution that creates legal exposure that cannot be dismissed as merely symbolic. Attorney Gabriel Shapiro, who reviewed the filing publicly, was direct about its implications: Arbitrum DAO is not permitted to do anything with the Kelp DAO funds pending a divestiture hearing. Moving the funds in defiance of the court order would not be a governance decision — it would be contempt of court. The liability would not neatly attach to "the DAO" as an abstract entity, because Arbitrum DAO does not have clear legal personhood in the U.S. system. Whoever a court ultimately determines exercises effective control over the frozen ETH — which could include Security Council members, active governance participants, or large token holders — would bear the personal risk of contempt exposure. Axia, an Arbitrum governance participant, flagged the question of whether the Arbitrum Captive Insurance Product would cover delegates in this scenario, noting that coverage for ordinary governance liability is categorically different from exposure tied to an active federal enforcement action.
6. The Recovery Coalition and What It Stands to Lose
The restraining notice landed in the middle of one of DeFi's most ambitious coordinated recovery efforts. In the weeks following the Kelp DAO exploit, a coalition called DeFi United — organized by Aave Labs, Kelp DAO, LayerZero, EtherFi, and Compound — had assembled more than $311 million in pledged contributions from protocol participants and institutional actors. Consensys committed 30,000 ETH. Mantle contributed another 30,000 ETH. Aave founder Stani Kulechov personally pledged 5,000 ETH. The 30,765 ETH under Arbitrum's control was intended to be the single largest individual contribution to the recovery pool — the institutional anchor of a plan designed to make affected rsETH depositors as close to whole as possible given the circumstances. The Snapshot vote showing 99% support for releasing the ETH demonstrated that Arbitrum's governance community had reached near-consensus on the plan. The court order has not overturned that consensus — but it has made acting on it legally perilous until the divestiture hearing resolves the competing claims.
7. The Centralization Paradox That Created This Situation
The legal predicament Arbitrum now faces is an unintended consequence of one of the most praised decisions the Security Council made in response to the exploit. When the Council used its emergency powers on April 20 to freeze the 30,765 ETH and transfer control to a DAO-governed wallet, the action was widely characterized as a model of DeFi's capacity for coordinated response to a security emergency. The funds were preserved, the attacker's ability to move them was neutralized, and a path to recovery for affected users was opened. What the Council and the community did not anticipate was the legal significance of that centralized intervention. By exercising emergency governance control over the frozen ETH, the Security Council brought those assets within the reach of the U.S. court system — creating precisely the jurisdictional foothold that Gerstein needed to file the restraining notice. Had the ETH remained in a wallet outside any entity's effective control, the court order would have had no obvious target. The Security Council's responsible action inadvertently made the funds legally attachable.
8. On-Chain Analyst ZachXBT's Critique and the Industry Reaction
On-chain investigator ZachXBT, whose public blockchain analysis has been widely cited in crypto investigations, characterized Gerstein Harrow's approach as "predatory" in a public post, arguing that the firm is using publicly available on-chain attribution data to assert a legal priority claim over funds that were frozen specifically to compensate a distinct group of victims. The critique reflects a broader discomfort in the DeFi community with the law firm's strategy — which, whatever its legal merits, effectively pits decades-old terrorism judgment creditors against present-day DeFi hack victims in a competition for the same pool of funds. ZachXBT's characterization of the law firm as "pure evil" — echoed by other voices in the governance discussion — reflects the moral weight the community assigns to the rsETH depositors' claim, even while acknowledging that the legal theory Gerstein is advancing may have sufficient merit to prevail at a divestiture hearing.
9. The Precedent Risk for All DeFi Security Councils
The most consequential long-term implication of the Arbitrum case may be its effect on how security councils and emergency governance mechanisms in DeFi protocols respond to future exploits. The current situation demonstrates that freezing funds through a centralized governance action — the precise response that DeFi security professionals have advocated as a best practice following major hacks — can expose the freezing entity to legal claims that are entirely unrelated to the underlying exploit. If this precedent holds, future security councils facing similar situations will need to weigh the risk of attracting third-party legal claims against assets they freeze. The safest governance response from a liability perspective — doing nothing and allowing exploiters to move funds freely — is the worst response from a security and victim-protection perspective. The case puts DeFi's most responsible governance actors in a position where exercising their emergency powers creates new forms of legal risk they were not designed to bear.
10. A Divestiture Hearing Will Decide Between Two Sets of Victims
What the Arbitrum ETH situation ultimately presents is a forced choice between two legitimate categories of victims, and a court — not a governance forum — will make that determination. On one side are rsETH depositors who lost real value in a hack that was traceable to DPRK-linked attackers and who have a DeFi community willing to fund their recovery. On the other are families whose relatives were killed, abducted, or harmed in North Korean state-sponsored acts of violence going back to 1972 — families who won valid U.S. court judgments decades ago and have spent years searching for any DPRK-linked assets against which those judgments can be enforced. The legal system will determine which claim is senior. The governance community has already expressed its preference — 99% support for rsETH depositors — but that preference has no legal weight until the divestiture hearing either validates or overrides it. Whatever the court decides, the case will produce a binding precedent about whether frozen DeFi assets linked to state-sponsored hackers can be treated as sovereign property under U.S. enforcement law — a question with implications that extend far beyond this particular pool of $71 million in ETH.