Overview
- Arbitrum’s Security Council, which approved the action in a 9–3 vote late Monday, moved 30,766 ETH into a wallet that only community governance can unlock after consulting law enforcement.
- Investigators on Tuesday tracked two large Ethereum transfers of about $117 million and $58 million, plus smaller routes through Thorchain and Umbra, signaling an active laundering push by the exploiter.
- The April 18 breach forged a cross‑chain message by compromising RPC nodes that fed LayerZero’s verifier network, which let the attacker mint 116,500 rsETH, a token that represents staked ether.
- A large share of the minted rsETH went to Aave as collateral to borrow 82,650 wrapped ETH and 821 wstETH, with risk models now showing potential bad debt between roughly $124 million and $230 million depending on how losses are allocated.
- LayerZero has preliminarily linked the operation to North Korea’s Lazarus Group, while LayerZero and Kelp DAO dispute whether a 1‑of‑1 verifier setup was a dangerous choice or a documented default that left a single point of failure.