A blockchain security freeze just backfired in the worst possible way.
After the Arbitrum Security Council locked down 30,766 ETH from the $292 million KelpDAO exploit, the attacker didn’t slow down. Instead, they sped up. Now roughly 75,700 ETH, worth about $175 million, is moving through Ethereum mainnet in a scramble to stay ahead of further action.
It’s a high-stakes game of crypto cat and mouse, and right now the hacker has the upper hand.
The Arbitrum Freeze That Spooked a $292M Hacker
The Arbitrum Security Council made a bold move on April 18, voting 9 out of 12 members in favor of freezing stolen funds sitting on Arbitrum One. The freeze successfully locked around 30,766 ETH tied to the KelpDAO exploit.
But instead of stopping the attacker, it appears to have lit a fire under them.
On-chain analyst EmberCN flagged the suspicious activity almost immediately. The hacker began routing smaller ETH transfers through UmbraCash, a stealth address privacy protocol designed to obscure transaction trails. Think of it like breaking a large cash withdrawal into dozens of smaller ones across different banks, except this is happening on a public blockchain at lightning speed.
Arkham Intelligence data confirms the picture. The hacker’s primary wallet still holds a substantial ETH balance, but outflows are now routing through a secondary address tied to UmbraCash transfers. The fund-splitting strategy strongly suggests the attacker is trying to make funds untraceable before anyone can freeze more assets.
UmbraCash Privacy Protocol and the Laundering Trail
So why UmbraCash specifically? Privacy protocols like this one generate fresh wallet addresses for each transaction, making it much harder to follow the money. For investigators and blockchain analysts, it creates a maze instead of a straight line.
The approach is calculated. Small transfers attract less automated attention than large single movements. Plus, fragmenting funds across many addresses makes asset recovery dramatically more complicated, even if law enforcement gets involved later.
This isn’t unusual behavior after a major exploit. But the speed of the pivot, happening almost immediately after the Arbitrum freeze, suggests the attacker was watching closely and had a backup plan ready.
Did the Security Council’s 9/12 Vote Cross a Line?
The freeze action has split the crypto community in a fascinating way.
Offchain Labs co-founder Steven Goldfeder stepped up to defend the council’s decision. He pointed out that the 12-member elected body required nine votes to act, and that the Arbitrum sequencer itself has no power to directly move funds. Goldfeder also stressed that the council operates independently from both Offchain Labs and the Arbitrum Foundation.
But not everyone is celebrating.
One community member raised a pointed question that resonated widely: “If I understand correctly, if the Arbitrum Security Council gets compromised, they can just do whatever they want to all of the funds on chain?” That concern cuts right to the heart of the decentralization debate. Emergency powers are useful until they aren’t, and the line between “protecting users” and “controlling funds” can blur fast.
Crypto executive Justin Sun added fuel to the fire by publicly trolling the Arbitrum governance debate, positioning Tron DAO as the more decentralized alternative. Whether you take Sun’s governance critiques seriously or not, the underlying tension he’s pointing at is real.
KelpDAO Credits SEAL 911 for Crisis Coordination
Amid the chaos, KelpDAO took a moment to publicly thank both the Arbitrum Security Council and SEAL 911, a rapid-response coordination group for blockchain security emergencies.
The protocol said its immediate focus remains on supporting rsETH holders affected by the April 18 exploit. That’s the right priority. Behind every stolen ETH figure is a real person who trusted a protocol with their assets.
KelpDAO hasn’t yet detailed a full recovery plan, but crediting SEAL 911 suggests the coordination effort was fast and organized, even if the outcome remains uncertain.
What This Means for Blockchain Security
Here’s the uncomfortable reality this situation exposes. Freezing funds on one layer of a blockchain ecosystem doesn’t automatically protect assets that exist across the broader network.
The Arbitrum freeze was genuinely significant. Locking down 30,766 ETH before it could move is a real achievement, and the Security Council deserves credit for acting quickly. But the remaining 75,700 ETH on Ethereum mainnet was always outside their reach.
This is the fundamental challenge with cross-chain exploits. An attacker who bridges assets between networks creates a jurisdictional problem that no single security council can fully solve. Layer 2 governance can only govern Layer 2.
The broader lesson for anyone building or using DeFi protocols is sobering. Centralized emergency powers exist for moments exactly like this, but they also create risks of their own. The Arbitrum community is now having a necessary, if uncomfortable, conversation about where those powers should begin and end.
Security in this space has always been a tradeoff. This week just made that tradeoff very visible, very fast, and very expensive.